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Course Objectives 


¢ Learn how to effectively use the Network General 
Corporation Expert Sniffer™ Network Analyzer as a 
network troubleshooting tool 


e Gain insight and skill on troubleshooting techniques 
using hands-on exercises 


¢ Understand proactive network monitoring and 
baselining methods 
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Major Topics 


e Introducing the Sniffer™ 

¢ Expert Sniffers Network Analyzer 
¢ Capturing Network Traffic 

¢ Displaying Captured Traffic 

e Using Filters 

e Using Triggers 

e Advanced Sniffer~ Features 


e Practical Sniffer™ Applications 
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How to Contact Network General 


e Technical Support Hotline 
(800) 395-3151 
FAX: 415-327-9436 
Internet: support@ngc.com 
CompuServe: type GO NETGENERAL at any ! prompt 


e SniffNet Bulletin Board 
(415) 327-4782 <300-14,400 bps, 8, N, 1 


¢ HAVE YOUR SERIAL NUMBER READY! 
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Recommended Reading 


1. ANSI/IEEE, Carrier Sense Multiple Access with Collision Detection (CSMA/CD), IEEE Standard 802.3, 
Published by The Institute of Electrical and Electronics Engineers, Distributed in cooperation with 
Wiley-Interscience, a division of John Wiley & Sons, 1985. (supplements also available) 


2. ANSI/IEEE, Token Ring Access Method and Physical Layer Specifications, IEEE Standard 802.5 
Published by The Institute of Electrical and Electronics Engineers, Distributed in cooperation with 
Wiley-Interscience, a division of John Wiley & Sons, 1989. 


3. Apple Computer, Inc, AppleTalk Network System Overview, Addison-Wesley Publishing Company, 1989. 


4. Comer, Douglas E., Internetworking with TCP/IP: Volume I, 2nd edition, Prentice Hall, 1991. 


5. Gurugé, Anura, SNA Theory and Practice, 1987, Pergamon Infotech Limited. 


6. IBM, Token Ring Network Architecture Reference, 2nd ed. 1987. SC30-3374-01 
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Recommended Reading (continued) 


IBM, Token Ring Network Introduction and Planning Guide, 2nd ed. 1986. GA27-3677-01. 


Chappel, Laura, Novell’s Guide to NetWare LAN Analysis, Sybex Inc., 1993. 


Malamud, Carl, DEC Networks and Architectures, McGraw-Hill, 1989. 


Miller, Mark A., Internetworking: a Guide to Network Communications LAN to LAN; LAN to WAN, 
M&T Books, 1991. 


Miller, Mark A., LAN Protocol Handbook, M&T Books, 1990. 


Miller, Mark A., LAN Troubleshooting Handbook, M&T Books, 1989. 


. Nemzow, Martin, Keeping the Link: Ethernet Installation & Management, McGraw-Hill, 1988. 


Sidhu, Gursharan, Andrews, Richard, Oppenheimer, Alan B., Inside AppleTalk, 2nd Edition, 
Addison-Wesley Publishing Company, 1990. 
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Section Summary 


e Introductions 

e Course objectives 

e Main topics covered 

e Contacting Network General Corporation 


e Recommended reading 
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Section Objectives 


¢ Introduce the Sniffer 
¢ Outline how Sniffers work 


e Illustrate how to get started 
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What is a Sniffer? 


e A networking troubleshooting tool that assists you in 
finding and solving network communication 
problems, analyzing and optimizing network 
performance, and planning for future growth. 


e A hardware and software combination that includes: 
— DOS 
— Sniffer Software (Provided by Network General) 


— Personal Computer with a minimum of 8MB RAM 
and 10MB free disk 


— Network Interface Card (Provided by Network 
General) 
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Distributed Sniffer System 


Portable Sniffer 
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i SniffMaster Consoles 


ay e Provides simultaneous access to up to 30 Sniffer Servers 
pa ¢ Consolidates alarm information from multiple Sniffer Servers 
= ¢ Downloads updates and new applications to Sniffer Servers 
a e Provides centralized printer support 
a. ¢ Both Ethernet and Token Ring Consoles are supported 
¢ The SniffMaster Console is available as a software and 
interface board kit for use on any standard PC. 
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LAN and WAN Connections 


Sniffer Server ™ 
Extending the benefits of network analysis to the wide area ~~ me 7” 
a ~ 
LAN Segment a 
Bridge/Router aed 
SniffMaster ae 
Console oe 
e Full 7-layer protocol analysis on your WAN: o 
Enables improved applications performance ~ 
— Leads to decreased monthly line costs - 
— Consistent user interface eliminates additional user training - 
— Dual LAN/WAN support minimizes customer investment _ 
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How Does a Sniffer Work? 


e “Captures” all network traffic 

- Protocol Interpretation turns an unintelligible stream 
of bits and bytes into clearly labeled commands and 
readable text 

e Learns about and counts the number of “Network 
Objects” 

- Expert Analysis provides automatic identification of 
the most common network problems at all seven 
layers of the OSI model and learns network 
configurations automatically 

¢ Reports “Symptoms” and “Diagnoses” as they occur 


¢ Displays network traffic 
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The Main Selection Menu 


CR) 
The Sniffer Network Analyzer 


(C) Copyright 1986-1994, Network General Corporation 


in Selection Menu - Release 4.4 


Ethernet-II Analyzer DCA Remote2 


Token-Ring-16-"4 Analyzer Internal VGA adapter 

Ethernet-II Monitor Internal Monochrome adapter 

Token-Ring-16-4 Monitor External LCD projector 
Return to DOS 


Suites: IBM, Novell, XNS/“MSNET, TCP/IP, SUN, ISO, DECnet, 
Banyan, AppleTalk, XWindows, X25, Expert 
se arrow keys to select, then press Enter. 
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Main Menu Option Descriptions 


e Analyzers 


— The analyzers collect and display all network traffic. If 
Expert Analysis is enabled, the analyzers can actually 
learn the details of your network and notify you of 
problems. 


e Monitors 


— The monitors view all network traffic, calculate a variety 
of significant statistics, and generate reports. 


e Remote operation 


— The DCA Remote? facilitates remote operation of the 
Sniffer. 


e Video choices 


e Exit O 
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Navigating the Main Menu 
¢ Moving through the menu 
— Use your arrow keys to move up, down, left, and right 
e Selecting options 


— Highlight the option you wish to execute and press the 
<Enter> key 


e Leaving and returning to the menu 
— Leaving the Sniffer Main Menu 
Return to DOS <Enter> or press <ESC> 
— Returning to the Sniffer Main Menu 
Type MENU at the command line and press <Enter> 
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Section Summary 


¢ What is a Sniffer? 
¢ How do Sniffers work? 


¢ How do you get started? 
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Section Objectives 


Identify Expert Analyzer Design and Capabilities 
Learn to Access the Analyzer 

Introduce the Functions of the Analyzer 

Learn Navigate the Analyzer Menu 


Define System Options 
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The Initialization Screen 


INITIALIZATION 


CR) 
The Sniffer Network Analyzer 
for Ethernet 


Version 4.46 


Network General Corporation 


(C) Copyright 1986 - 1994 


4 Press any key 


Serial number: 8319HBD36654 
Network address: 888665695A93 


The initialization screen reports the version, serial number and the 
DLC address of the invoked analyzer software. This information 
is vital when contacting Network General’s technical support. 
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The Sniffer Network Analyzer Main Menu 


Cable tester 4 
Network Traffic generator <4! 
General J Capture filters Buffer = 5136K EXP! 
J Trigger Frame size 
Ethernet x Schedule <4 
Expert Sniffer apture 4 Expert mode 
Network Analyzer Display 4 Classic mode 
Expert conf ig Highspeed mode 
Version 4.46 Files 
Options Screen format 
(C) Copyright Exit From <Ethernet> <1 
1986 - 1994 


Begin data collection from the network 
(or the specified data file). 
se the arrow keys to move, or ENTER to do this function 
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Analyzer Menu Options 


Cable tester TDR-like testing of the coaxial cable (Ethernet only) 


Traffic generator Send frames to load the network 


Capture filters Apply filters to limit which frames are captured 
Trigger Wait for a special event, and then capture it 


Schedule Configure your analyzer to perform a variety of unattended 
operations. 


Capture Begin capture and set realtime display options 


Display Display captured data/Select formats and Manage 
names/Print information 


Expert config Configure expert diagnosis thresholds and settings 


Files Load, save, delete data or setups; save Expert Database 
information; change directories 


Options General Sniffer operational settings, reset defaults 


Exit Exit to the Main Selection Menu 
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Menu Structure 


¢ Tree on its side 
— Always three menu panels shown 


— Left panel shows where you came from 
(parent) 


— Center panel shows the current options 


— Right panel shows sub-options for the 
highlighted selection 


Branch 


Branch ale Branch 


Branch 


Branch 
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Overview of the User Interface 


¢ You interact with the Sniffer through its menus and function 
Keys. 


— In many cases a menu option and a function key have the 


same function. ; 


— In most cases the function keys are context sensitive (with the 
exception of F1 - Help) or specific to whatever is displayed. 
Always check the bottom of your screen for the current 
functionality of each key. 


— Depending on your network, the Main Selection Menu may 
vary slightly, but the process of using the menu is universal. 
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Arrow Keys 


* Press one of the four arrow keys to move the highlight 
bar to the desired menu item. 


¢ Notice that the menu moves around the highlight bar; it is 
always in the center of your Sniffer's screen. 
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Univerity™ 


The “Hooked”? Arrow va 


¢ For options followed by a <! symbol, pressing Enter 
when the options is highlighted either executes the 
command, or displays a list of options or a dialog box. 


Example One: Example Two: 


able tester 4 
alyzer Traffic generator <4! 


Data 
Setups 


th a 
ta file ~<d 
ctory <1 


J Capture filters 
4.46 J Trigger 

x Schedule 
ight Capture 
994 Display 


re 
Test the cable for a short or an open. Load capture-buffer data from a dis 


e arrow keys to move, or ENTER to do this fu he arrow keys to move, or ENTER to do 
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The J and the X 


¢ Options preceded by a V or an X symbol can be 
enabled or disabled with the toggle switch (space bar). 


v Enabled or Included 
X Disabled or Excluded 
e Alt-space inverts all items in a column. 


¢ Each of these options is always either enabled or 
disabled. 


Example: V Expert window 


¥ Summary window 
X Detail window 
X HEX window 

X Two viewports 
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Vertical Bar 
(a.k.a. Radio Control Buttons) 


¢ Options connected to a vertical bar (radio control), can 
be chosen by moving the highlight bar to that option and 
pressing the space bar (toggle switch). Only one option 
may be chosen. 


e ALL OTHER OPTIONS WILL BE DESELECTED 
AUTOMATICALLY. 


e This format represents an option group where only one 
of the choices listed may be selected at any one point in 
time. 


Show frame counts 
Show Kbyte counts 
Show NW usage 


© 
Network 
General 


Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 


33 


Other User Interface Options 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


More A More menu selections above 


More y More menu selections below 


Address level 
Destination class 
Station address 
Protocol 
Pattern match 
VY Network ob ject <a 
x Symptom frames 
x Selected frames 


Y Good frames 
ret 


—Moret 


J RI 

Y LLC = 

J SNAP * 

J LOOP 

J BPDU = 

J Netmap TCP 
t 
J NGCP = 

J XTP 

J Token Ring * 
J Ethernet * 


VY Ethertype * 
J MAC = 
Moret 


Display frames with Netmap XNS fields? 


Press SPACE to enable (J) or disable (x); Ctrl-space 


Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 


Expert Sniffer Network Analyzer - 12 


34 


J 


} 


J 


J 


) 


J 


} 


J 


J 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
University™ 


————— 
Help! 


¢ Highlighted menu option 


This option provides a brief description of the option’s function. This 
information is found at the bottom of the Sniffer menu screen and is 
updated for you automatically as you move through the menus. 


e The “F1 Help” key 


Pressing F1 Help brings up an indexed help facility for operating the 
Expert Sniffer Network Analyzer. 


e The “F1 Explain” key 


Depending on the symptom or diagnosis highlighted, the explanation 
will include why Expert made that symptom or diagnosis, and will also 
provide possible causes and information for further investigation. In 
addition, you have the ability to configure Explain messages specific to 
your network, called User Explain messages. If entered and enabled, 
these messages will appear with the Expert Explain messages that are 
displayed when you press the “F1 Explain” key. 


F1 Explain is a context-sensitive help facility that is only accessible 
from the Expert window during capture and display. 
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System Options 


¢ Once you know how to navigate around the menu, you 
can consider the following system options: 


— Language 
— Audible Clicks 
— Interpret RI bit 


— Use Defaults 
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a 
Bonjour! Guten Tag! 

ome’ Tanguage : 

Hello! Bon Giorno! 


e There are currently 4 languages available in which 
you can display the help and the explain files. 


— ENGLISH 
— FRENCH 
— GERMAN 


— ITALIAN 


¢ To change the language selection, select OPTIONS, 
then LANGUAGE; highlight the desired language, 
and press the space bar. 
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Audible Clicks 


¢ The Audible Clicks option determines whether or not 
the Sniffer "clicks" each time it accepts a frame into 
the capture buffer and when it transmits a frame 
during traffic generation. 


¢ Clicks are enabled by default; to disable them, select 
OPTIONS\AUDIBLE CLICKS; press the space bar 
to toggle from VtoX. 
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ee 
Interpret RI 


¢ The RI option determines whether or not the least or 
most significant bit (depending on the technology) of 
the source address field is interpreted as a source 
routing indicator. 


e By default, RI is enabled, which means, that the 
Sniffer treats DLC addresses as 47 bits in length and 
calls the RI interpreter to interpret the routing 
information within the frame if the designated bit 
indicates its presence 
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Resetting All Options 


¢ Selecting OPTIONS\USE DEFAULTS restores the 
Analyzer's default factory settings for all options, 
including the capture and display filters, triggers, and 
other options. 


e All defaults are stored in the file DEFAULTS.xxS. 
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What is an Expert System? 


e “An expert system is a computer program that 
simulates the thought process of a human expert to 
solve complex decision problems in a specific domain’. 


e A move away from Artificial Intelligence’s primary 
goal of the General Problem Solver; expert systems 
solve problems in a specialized field. 


e Emulates the way a human solves problems based on 
facts as well as learning, intuition, judgment and logical 
inference. 


Source: Badiru, Adedeji, Expert Systems Applications in Engineering and Manufacturing, Prentice Hall, 1992. © 
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Simulating the Diagnostic 
Skills of the Human Expert 


¢ Humans excel at “irrational” reasoning 
¢ Humans make assumptions 


e A study of chess players found that the best chess 
player is NOT the one who can envision the highest 
number of situations. Chess masters consider fewer 
moves than novices, but are better at making 
assumptions and simplifying the analysis. 


22 Bl Fa 
SAB WwEans 


Source: Parsaye, Kamran & Chignell, Mark, Expert Systems for Experts, John Wiley & Sons, 1988. 
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Sie Unies A 


Expert System Model 


Millions of bits of information 


Perception Process 


Involves most of the work, though does not do any reasoning. 
Reduces information to an abstract view of the world. 


View of the World 


Thinking Process 


Compares related objects, makes assumptions 
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What is the Expert Sniffer 
Network Analyzer? 


¢ An Expert System specializing in local and wide area 
network analysis. 


¢ A tool which incorporates learned information about 
your network, user configurable and pre-defined 
thresholds, and pre-programmed protocol and standard 
knowledge to search for potential problems on your 
network. 


e A Network General program consisting of Expert 
Analysis and Protocol Interpretation applications. 
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O 
Expert Sniffer Analyzer Architecture 


Local Area Network 


Real time 7-layer Real time 7-layer Real time 7-layer 
Protocol Decode Protocol Decode Protocol Decode 
TCP family Novell family DECnet family 


Perception Semantic Network of Objects 


University™ 


Process O 
oO O 
[4 


Knowledge 
Sources 


Thinking 
Process 
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Sniffer Architecture Descriptions 


- The Expert Sniffer Analyzer makes its diagnosis by reading the problems in the 
packets on the network. There is no need for a protocol, such as SNMP, that queries 
devices to see if they are healthy. There is no need for the user to input hypothesis. 


- The perception level deals with the understanding of each packet, filtering information 
noise, matching the frame to our model of the world. A representation of the world is 
built. We create or update a few objects and link them together into a semantic network 
of objects. When the expert system starts, the network of objects is empty. As each 
packet comes in, we create workstation objects, network address objects, connection 
objects. 


- The thinking level correlates packets, compares new information with 

known information, uses knowledge sources - simple C programs which recognize 
problems at different layers. The knowledge sources are based on NGC's years of 
experience troubleshooting complex networks. 
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Some Definitions 


e Network Object 


Network events and components about which the Sniffer learns 
through listening to your network traffic. Using this information, 
coupled with “built in” knowledge about protocols and standards, 
the Sniffer can find network problems for you. 


e Symptom 


An abnormal or unusual network event indicative of a possible 
network problem 


e Diagnosis 


Caused by several symptoms or recurrences of a symptom — more 
than just an indication of a possible problem, or, 


Caused by a single network event that is immediately considered to 
be a problem 
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Some Examples 


Network Objects 
Application 


File transfers, print jobs, terminal sessions 


Connection (end to end connections) 
Sessions, connections 
Network 


Network stations, networks, subnetworks, servers, routing 
nodes 


Data link (point to point) 
Stations, bridges 


In Token Ring, Media Access Control entities such as Active 
Monitor, Error Monitor 
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I 
Some More Examples 


Symptoms 


Frame too short, IP continuation frames out of order, long 
ACK time, multiple routers to a remote node, file 
re-transmission. 


Diagnoses 


1. Caused by several symptoms — too many routers to a remote 
node, too many file retransmissions, too many Token Ring 
receiver congestion errors in a minute. 


2. Caused by a single network event — Duplicate network 
address, local router to a node, connection broken because a 
station stopped responding. 
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Symptoms Versus Diagnoses 


Network Traffic 
Protocol Decode and Real Time Analysis 


Thresholds (some are user-defined) 


If exceeded 


Symptoms Diagnoses 


Less serious; usually |More serious; results 


result from exceeding |from exceeding multiple 
one threshold thresholds or 
through the occurrence 
of a problematic event. 


Display asymptom message.| | Display diagnosis message 
Update symptom count. Update diagnosis count 
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Expert Analyzer Layers 


e Expert Analyzer Layers are the network layering scheme 
used by the expert analyzer to categorize network problems. 


e In addition to the four Expert layers, the Expert Overview 
also tallies Global Symptoms and Subnet Pairs. : 


e Global Symptoms are those symptoms which do not reside 
at any particular layer. 


e Subnet Pairs provides information on all communicating 
subnets the Expert Analyzer detects. 


e The Expert layering structure is also used to group 
thresholds for symptoms and diagnoses in the Expert 
settings menu. 
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Ow) 
Expert Analyzer Layers 


During its realtime analysis of frames, the Expert analyzer categorizes 
the symptoms and diagnoses it sees into the following layers: 


: : Examines the session establishment and 
Application communications between two application processes 
: Checks for problems related to the efficiency of end-to- 


Checks for network addressing and routing problems. 
Network Also interprets traffic between subnetworks and measures 
the distance between subnetworks in hops 


Subnet Pairs This subcategory provides information on all 
communicating subnetworks. 

Keeps track of the actual transfer of data, identifying LAN 
Overloads, broadcast storms, and error frames. 


Data Link Control 


This subcategory deals with symptoms which do not 
reside at any particular layer. Examples: Broadcast 
Storms, LAN Overload, etc. 


Global Symptoms 
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Swiffer University™ 
2 


Expert Analyzer Layers and OSI Layers 


Application 


T t : 
Network 


Physical 


OSI Expert Sniffer 


Application 


Presentation 


Session 


Data Link 
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Protocols and Architectures Supported 


¢ Protocol Interpreters 
IBM, Novell NetWare, XNS MS-Net, TCP/IP, Sun NFS, ISO, 


DECnet, Banyan VINES, AppleTalk, X.25, X.400, X.500, X- 
Windows, Nestar PLAN, SNMP -v2, Custom (user written) 


® Architectures 


Ethernet, Token Ring, FDDI, WAN 
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Section Summary 
e Expert Analyzer design and capabilities 
e Accessing the Analyzer 


e Functions of the Analyzer 


e Navigating the Analyzer menu 


e System options 
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Illustrated 


Classic Capture Views 
ular Skylines 


Trigger 
Detector 


Capture 

From 
<File> 
Option 


Capture Buffer 


Discard 


Expert Mode "Classic Mode 


Object 
Database 


Diagnosis Overview ™ 
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Capturing Network 
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Section Objectives 


Define “Capture” 
Define Capture Options 
— Mode 
— Source 
— Screen Format 
— Frame Size 
Introduce File Maintenance 
— Saving 
— Retrieving 
Discuss Low Memory Situations 
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Defining a Capture 


What is a Capture? 
Capturing is the act of recording network traffic 
into the Sniffer's "Capture Buffer". 


What is a Capture Buffer? 
The Capture Buffer is an area in RAM set aside for 
the temporary holding of traffic that passes the 
"Capture Filter”. 


What is a Capture Filter? 
The Capture Filter is a group of settings which 
permit the Sniffer to accept frames which meet the 
defined criteria and reject all others allowing you 
to limit the frames recorded in the Capture Buffer. 
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Capture Limitations 


¢ Buffer Size 


— The capture buffer is limited in size, so the amount of information 
you can capture and retain within the buffer is limited. 


e Environment Type 


— The portable Sniffer is designed to support the scanning of a single 
network segment. In multi-segment LANs or WANs, a Distributed 
Sniffer System or multiple portable Sniffers may be required. 


— Some advanced features are limited to specific architectures. 


e Capture Filters 


— Filters provide you with the ability to select the criteria by which 
frames are permitted to enter the buffer. You have the ability to 
limit the type of frames accepted. 
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University 


Capturing in a Bridged Environment 


The Sniffer will: 


— see frames going between Nodes 
A, B and C. 


— see traffic bridged between the 
two networks. 


— notsee frames going between 
Nodes D, E and F. 


At the Data Link layer, the source and 
destination addresses will be the end 
node’s addresses. You will not see the 
bridge’s addresses. 


Example: 


If Node D communicates with Node A, the 
Sniffer can analyze the session. The DLC 


addresses will be Node D’s and Node A’s. 
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Capturing in a Routed Environment 


The Sniffer will: 
— see all traffic on Network 201 
between Nodes A, B and C 
— All traffic to and from Network 
201 and Network 200 


— notsee the traffic on Network 
200 between nodes D, E and F 


At the data link layer, the source and 
destination DLC addresses will be the 
node and the router. 


At the network layer, the source and 
destination addresses will be the 
nodes’ network layer addresses. 


Example: 


If Node D communicates with Node A, the Sniffer sees the DLC 
addresses of the router and Node A. 


At the network layer, the Sniffer sees the network layer addresses 
of Node D and Node A. (i.e. IP, XNS, or AppleTalk addresses) 
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Capture Menu Overview 


32 bytes 
64 bytes 
128 bytes 


256 bytes 
Buffer = 5408K EXP ~! 512 its 


Frame size Whole frame 


Expert mode 
cra ape ae Show frame counts 
USP ORE Mes r Show KByte counts 
Show NW usage 


Screen format 
From <Ethernet>~e@l L 


Name width = 15 ~=dl 


Linear bar scale 
Log bar scale 


Expert window 
Individual counts 
Pair counts 

Skylines 


* Sniffer Network Analyzer for Ethernet only (not present on DSS). O 
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r 1 second update 
1 hour update 
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F2: 


F2: 


F3: 
F3: 
F4: 
F4: 
F4: 
FS: 
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Capture Screen Function Keys 


Help/Explain* 


View Stats/Expert 


Filter & Display* 


Remove Filter* 


Data display* 
Expert Window 
View DLC stn 
View protocol 
View symptom 


Menus* 


Shows Indexed Help in Classic mode. In Expert mode, the key explains 
whatever is highlighted in the Expert window. 


Acts as a toggle between the Expert Overview screen and the Global 
Statistics screen. 


Sets the Network object filter based on the highlighted selection in the 
Expert Summary, Detail or Statistics window, and then displays the data. 


Removes the Network object filter for the highlighted selection in the 
Expert Summary, Detail or Statistics window. 


Displays the data captured in the buffer. 

Returns the view to the Expert screen. 

While in an Symptom Summary screen, shows DLC station addresses. 
While in an Symptom Summary screen, shows the protocol used. 
While in an Symptom Summary screen, shows the Last Symptom. 


Returns the screen to the Main Menu. 


* Only available when capture is paused or finished. 
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More Capture Screen Function Keys 


F6: Capture options* Brings up the Capture Options menu. Capture display formats can be 
changed through this menu. 


F7: Lower layer* While in any Object/Symptom screen, permits you to quickly move to 
next lower Expert layer. 

F8: Higher layer* While in any Object/Symptom screen, permits you to quickly move to 
next higher Expert layer. 

= or SS" While in any Object/Symptom screen, permits you to quickly move 
from one Symptom to another, bypassing Symptom-less objects. 

F7: Remove diag While in any Diagnosis Summary or Diagnosis Detail screen, 
temporarily removes the highlighted diagnosis from the screen. 

F8: Restore diags While in a Diagnosis Summary or Diagnosis Detail screen, restores all 
diagnoses back on the screen. 

F9: Pause Pauses the capture to make other capture functions available. 

F9: Resume* Resumes the capture process. 

F10: Stop capture Stops the capture and returns you to the Main Menu. 

F10: New capture* Starts a new capture, wiping out the present buffer contents. 


Shift+F10: Continuous _ Starts a continuous capture when recapturing from a trace file. 


* Only available when capture is paused or finished. 
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Choosing a Capture Mode 


Expert mode 


e Expert mode (Default) 


Real time expert analysis will occur using an object database. 


Highspeed “ 


¢ Classic mode 


This mode is used when expert analysis is not desired. Real- 
time expert analysis will not occur. 


‘ Highspeed mode (Ethernet Network Analyzer only, not 
present on DSS.) 


This mode is used under extremely high traffic conditions. 
Real-time graphical display or expert analysis will not operate. 
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Expert Mode versus Other Modes 


With Expert mode, the analysis is based on the object 
database, including information taken from frames no 
longer in the First-In-First-Out (FIFO) capture buffer. 


With Classic and Highspeed mode, you can still have 
the Expert Analyzer do its analysis at display time. 
However, the analysis is based only on the frames in the 
capture buffer. 


You can also load a file and have the Expert Analyzer do 
its analysis when displaying the capture buffer. The 
same limitation applies as above. 
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Defining Capture Options 


When capturing, you have the following configuration 
options to consider: 


e Capture Source 
e Screen Format 


e Frame Size 
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Capture Source 


e From the Network 


Default capture source is from the network. Captured 
data may be saved to disk. 


e From a File 


Optionally, you can capture from a previously saved 
file. 


This is done to: 
1. View capture statistics again 
2. View Expert diagnoses and symptoms again 


3. Demo purposes 
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Exercise (Ethernet) 


Objective: To get familiarized with capturing network traffic. 


[; 


2. 


O 
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Move to Capture in the Main Menu. Move right, and down to From. 


Press Enter, select TC101C, press Enter, select TCPDEMO6.ENC and press Enter 
to set the capture From field to C:\CAPTURE\TC101C\TCPDEMO6.ENC. 


Press F10 to start capturing. This will capture from the data file instead of the 
network. The Sniffer Analyzer is now simulating a live capture using this data file. 


Depressing and holding the Alt key while capturing from a file will remove any time 
delay between packets. This speeds capture when you’re not interested in timing 
statistics. 


When you see <ENDFILE> , you have reached the end of the data file and the 
Sniffer Analyzer has stopped capturing. Write down the number of frames seen, 
which is indicated by adding together the good, short/runt frames, collisions, bad 
CRCs and the number of lost frames, and the number of frames accepted in the 
capture buffer. 


You can now press F3 to display the frames that you have captured. 
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Exercise (Token Ring) 


Objective: To get familiarized with capturing network traffic. 
1. Move to Capture in the Main Menu. Move right, and down to From. 


2. Press Enter, select TC101C, press Enter, select TRDEMOS5.TRC and press Enter 
to set the capture From field to C:\CAPTURE\TC101C\TRDEMOS5.TRC. 


3. Press F10 to start capturing. This will capture from the data file instead of the 
network. The Sniffer Analyzer is now simulating a live capture using this data file. 


4. Depressing and holding the Alt key while capturing from a file will remove any time 
delay between packets. This speeds capture when you’ re not interested in timing 
Statistics. 


5. When you see < ENDFILE >, you have reached the end of the data file and the 
Sniffer Analyzer has stopped capturing. Write down the number of frames seen and 
the number of frames accepted in the capture buffer. 


6. You can now press F3 to display the frames that you have captured. 


© 
Network 
‘Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rey. 4.4 Capturing Network Traffic - 15 General 


71 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Screen Format 


—Moret 


Cable tester 4a 
Traffic generator <! 
Capture filters 
Trigger 

Schedule <j 
Capture <a 
Display 4! 
Expert conf ig 

Files 

Options 

Exit <j 


Frame size 


[eines mode 


Classic mode 
Highspeed mode 


Screen format 


From <Ethernet> <4 | 


Show frame counts 
Show Kbyte counts 
Show NW usage 
Linear bar scale 
Log bar scale 


Expert window 
Individual counts 
Pair counts 
Skylines 


Specify 
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Sniffer University 


CAPTURING Expert Overview 66:46:63 


Ob jects | Symptoms Diagnoses 


Applications 1 3 


Connect ions 6 3 1 
Network Stations 16 5 
Subnet Pairs 6 
DLC Stations 11 
Global Symptoms = 
Use 1t«> 


95 Good @ Short/Runt 6 Collision 6 Bad CRC 6 Lost 
95 Frames accepted 9 Kbytes accepted @% Buffer utilization 


486 1666 


Expert Window 


This is the default - the Expert Overview screen showing Network 
Objects/Symptoms and Diagnoses. 
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Expert Window 


Designed to provide a summary of network activity at 
each Expert layer. 


The three columns include: 
— Objects 
— Symptoms 
— Diagnoses 
The counters include: 
— number of symptoms detected 
— number of network objects detected 


— number of diagnoses detected 


Hyphens indicate that counts are not applicable. 
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Expert Window 
‘“‘Layers” of Information 


Objects /Symptoms Diagnosis 
Layer Summary Diagnosis Summary 
Layer Detail Diagnosis Detail 
Layer Statistics Layer Detail 

Layer Statistics 


Within the Expert Window, pressing <Enter> on a selected object/symptom 
or diagnosis leads to additional screens of information. Terms in italics 
should be replaced with the selected Expert layer name. 
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Object /Symptom Summary Displays 


CAPTURING Application Summary 

DLC Station 1 DLC Station 2 Requests Sumps Last Symptom 

SGI 626FD3 DEC HHE?7FC 94 3 3 loops on a request 
Sun 461187 Sun 6HE2Z5B 7 4 

DEC H62Db4 DEC 66764 128 127 127 loops on a request 


1 of 3; Use Jt, ENTER for detail: +- for next“prev sump; ESC to return 
34658 Good 6 Short/Runt 4 Collision 4 Bad CRC 4 Lost 
3058 Frames accepted 665 Kbytes accepted 15% Buffer utilization 


386 1668 3864 18668 
Frames per second 


Z2Filter#S Data View 6Captur Lowe 16 New 
ee f&displufidisplay Drotoclh. options aaa apture 


Although this example shows the Application layer, please remember that all of the Expert layers 
support similar screens. 
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Object /Symptom 
Summary Displays 
¢ The Symptom Summary display has several formats: 


Press F4 to toggle the display for: 
— DLC address 

— Network address and protocol 
— Last symptom 


¢ To scroll through a list of symptoms: 


— Press ‘‘-’’ or “+” to go to the previous or next symptom, respectively 


¢ To bring up the Explain Help screen: 
— Pause capturing by pressing F9 


— Press F1 to invoke Explain 
¢ To see the detail and statistics related to a symptom: 


— Highlight the symptom from the Summary screen and press Enter for 
detail and Enter again for statistics 
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Other Object /Symptom Displays 


e Layer Detail Screen 


— Network addresses (including subnet numbers) of the two endpoints 
of a connection 


— the protocol(s) used 


— Symptoms associated with the particular connection, network 
station, or DLC station 


e Layer Statistics Screen 


— Application layer symptoms: statistics for application requests and 
average file transfer performance 


— Connection layer symptoms: number of frames, total bytes, average 
frame length, average ack time, etc. on a particular connection 


You can still press °‘-”’ or ‘+’? to move to the 
previous or next symptom in the summary 
list while displaying these screens. 
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Diagnosis Summary Displays 


SUMMARY—De lta T—DST————_—_— 
[128.184 .224...«[128.144.224... TCP D=6608 $=1305 SYN SEQ= 
6.6098 [128.184.224...«[128.184.224... TCP D=6806 3=1365 ACK= 
6.0035 ([(128.164.224...«[128.184.224... XMWIN C Conmmection Setup LS 
6.6168 ([128.164.224...«[128.184.224... XWIN C Create GC Back=7 
onnection Diagnosis Summary 
Duration Diagnosis 
Local router: [129.89.7.14] & [128.164.236.111 
Retransmissions: [134.48.1.31] & [129.79.254.85] 
Non-responsive station: [128.126.9.4] 
Non-responsive station: [128.52.46.33] 
Non-responsive station: [128.82.8.1] 


Non-responsive station: [128.52.46.32] 
Retransmissions: [134.48.1.31] & [129.74.4.91 


1 of 7, 6 removed: Use JT, ENTER to see detail, ESC to return 
Use F2 to filter frames on this connection and return to data display 


1 2Filter#S Data = 6Disp lyuff7?Remove 16 New 
Explaingitd isp lufidisplay options diag apture 


Although this example shows the Connection layer, please remember that all of the Expert layers 
support similar screens. 
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Diagnosis Summary Displays vi 
- The First Time field a 


— The date and time when the analyzer first made the diagnosis = 
¢ The Duration field a 
— The total cumulative length of time during which the diagnosis was valid S 
¢ An asterisk “*’’ in the left-most column beside a diagnosis - 
indicates that the diagnosis is still active. ~ 


¢ Press F7 to remove a diagnosis from view. 
e Press F8 to restore all diagnoses. - 


¢ Press Enter on the highlighted diagnosis to see the 
Diagnosis Detail, Detail and Statistics screens. The 
information shown depends on the particular diagnosis. 


e Press F9 Pause and F1 to see the Explain screen. 
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Other Diagnosis Displays 


e Diagnosis Detail Screen 
— Information necessary for the investigation the highlighted diagnosis 


— Exact screen content depends on the diagnosis 


e Layer Detail Screen 


— Network addresses (including subnet numbers) of the two endpoints 
of a connection 


— the protocol(s) used 


— Symptoms associated with the particular connection, network 
station, or DLC station 


e Layer Statistics Screen 


— Application layer symptoms: statistics for application requests and 
average file transfer performance 


— Connection layer symptoms: number of frames, total bytes, average 
frame length, average ack time, etc. on a particular connection 
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Global Statistics 


CAPTURING Global Statistics 66:41:68 


Composition of Traffic by Protocol Family 
Family “Bytes @ 25 58 75 166 “% Bandwidth Frms 
SO Utilization “sec 
AppleTalk SEE! 
Banyan : average 4 38 
DECnet : — = current 4 4 
max imum 5 128 


Run Information 


bandwidth 16 Mb-s 
. duration im29s 
Other/Err : start run 12/69 17:54:37 
% analyzed 166 


3658 Good @ Short/Runt 4 Collision @ Bad CRC @ Lost 
3658 Fr ted 6065 Kbytes accepted 15% Buffer utilization 


1 45 166 486 16666 
Frames per second 


1 2 View 7S Data = 6Captur 16 New 
Explaingg’ expert#hisplay options apture 
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Global Statistics 


¢ Composition of Traffic by Protocol Family 
— Frames are categorized according to the highest protocol layer analyzed 
— Numeric and graphical representation of network traffic percentage in bytes 


¢e Bandwidth Utilization 


— Average, Current and Maximum number of frames/second and percentage of 
bandwidth utilized 


¢ Run Information 
— Bandwidth available (theoretical maximum, example: Ethernet = 10Mbps) 
— Duration of trace capture time between first and last frames in buffer 
— Elapsed trace capture time (does not include pause time during capture) 
— % Analyzed below 100% indicates potential backlog of frames waiting to 
be analyzed due to heavy traffic loads 


F2 toggles between Expert Overview 
and Global Statistics 
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Exercise (Ethernet): Duplicate IP Address 


Objective: Find a duplicate IP network layer address using the Expert 
Sniffer Network Analyzer. 


Background: A duplicate network layer address occurs when two stations 
have been configured to use the same network layer address. 
Every network station must have a unique address in order to 
communicate with other stations properly. 


1. From the main menu, select Options, then Use defaults. Capture from the file 
C:\CAPTURE\TC101C\TCPDEMO6.ENC. 


2. After a few seconds, observe the increment in the Diagnosis count field for Network 
stations. 


3. Arrow down to the network layer. Press Enter to view the Network Station 
Diagnosis Summary. a) What is the diagnosis reported? b) What is the IP network 
address that is being used by two stations? 


4. Press Enter to see the Network Station Diagnosis Detail. What are the Ethernet 
addresses of the two stations using the same IP address? 
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Exercise (continued) 


5. Ifthe capture is still running, press F9 to pause the capture. 


6. Press F1 to explain the diagnosis. Read the explain screen. Then press Esc to return 
to the Diagnosis Detail screen. 


7. Press F2 to filter and display frames related to this diagnosis. 


8. Using the first two frames in the display, explain why the Expert Sniffer Analyzer 
flagged a duplicate network layer address condition. 
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Exercise (Ethernet): 
Local Router in an Ethernet/IP Network 


Objective: Find the source of a Local Router problem on the network. 


Background: A Local Router diagnosis is created when the Expert Sniffer 
notices that two local stations are communicating via a router 
unnecessarily. Since both stations are locally attached to the 
same network they shouldn’t have to go through a router. 


1. After resetting the Sniffer to system defaults, capture from the file 
C:\CAPTURE\TC101C\TCPDEMO6.ENC. 


2. After a few seconds, observe the Connection layer diagnosis count increase. 


3. Arrow down to the Connection layer. Press Enter to view the Connection Diagnosis 
Summary. Which stations are involved in a local router situation? 
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Exercise (continued) 


4. Press Enter to see the Connection Diagnosis Detail. What is the Ethernet address of 
the station acting as a local router for these stations? 


5. Ifthe capture is still running, press F9 to pause the capture. 


6. Press F1 to explain the diagnosis. Page down until you see the network drawing. 
What might be a possible cause for the Local Router situation? (This requires some 
knowledge of IP addressing.) 
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Exercise (Token Ring): 
Connection and DLC errors 


Objective: Investigate Connection and DLC layer diagnoses on a Token 
Ring network. 


Background: — Users on a Novell Token Ring network are complaining of 
unusually slow response times. 


1. Capture from the file C:\CAPTURE\TC101C\TRDEMOS.TRC. Hold down the 
Alt key to speed up the capture 


2. After about 20 seconds, observe the Connection layer diagnosis count increase. 


3. Arrow down to the Connection layer. Press Enter to view the Connection 
Diagnosis Summary. What is the diagnosis? 
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Exercise (continued) 


4. Press Esc to go back to the Expert Overview. Arrow down to the DLC Stations 
Diagnosis layer and press Enter. 


5. What diagnoses are you seeing at this layer? 


6. Ifthe capture is still running, press F9 to pause the capture. 


7. Press F1 to explain the diagnosis High rate of ring purges by IBM 38C9FF. 
Do you think the retransmissions at the connection layer may be related to the 
diagnoses at the DLC layer? 
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Exercise (Token Ring): 
Local Router in a Token Ring Network 


Objective: Find the source of a Local Router problem on the network. 


Background: A Local Router diagnosis is created when the Expert Sniffer 
notices that two local stations are communicating via a router 
unnecessarily. Since both stations are locally attached to the 
same network they shouldn’t have to go through a router. 


1. Capture from the file C:\CAPTURE\TC101C\LOCAL.TRC. 
2. After a few seconds, observe the Connection layer diagnosis count increase. 


3. Arrow down to the Connection layer. Press Enter to view the Connection Diagnosis 
Summary. Which stations are involved in a local router situation? 
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Exercise (continued) 


4. Press Enter to see the Connection Diagnosis Detail. What is the Token Ring 
address of the station acting as a local router for these stations? 


5. Ifthe capture is still running, press F9 to pause the capture. 


6. Press F1 to explain the diagnosis. Page down until you see the network drawing. 
What might some of the possible causes for this Local Router situation? 
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CAPTURING 
Sun @BE2Z5B 
DECnet#439F4 
DECnet@6E7FC 
AGLSA4 
DECnet6625B9 
Br idge#6D33E 


DECnet462D21 
KinetxAZ26854 
DECnet4437F4 
DECnet@46FABA 
DECnet866528 
DECnet60201D 
MIPS 66889A 
DG 6F6169 
DECnet@@8CC7 
DECnet 694374 
161 Good 
161 F. 


NSMSAA 
AGWSH2 
AGWSA1 
Br idge#18A98 
EPUAX 
ICEMAN 
DECnet4436F4 
U-B EE6F46 
AGWSH8 
DECnet66161D 
KinetxA16653 
KinetxF66161 
DECnet14D196 
Sun 661167 
EPVAX2 
VIPER 
Short/Runt 


from the station 


DECnet @FBB8A 
cisco 666113 
NSMSA3 
AGWSAL 
EPUAX1 
AGWSH7 
NSMSAZ 
U-B 62A1DC 
AGWSAZ 
STONES 
DECnet865D22 
DECnet @65F22 
DG @F82F3 
KinetxA15763 
AGWSH3 
U-B GAZ4AF 


ollision 


bytes accepted 
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AGLSEH6E 
DECnet @6E71F 
Intrgr848368 
Exce 1116374 
DG 6117E8 
DG 616E41 
DG 6117A8 

AGWSAA 

EPVAXS 
DECnet@@AF2Z1 
DECnet 664221 
DECnet@B7EBB 
KinetxAZ1148 
KinetxA16337 

HUMAN 
DECnet@A12ZE6 


Individual Counts 


An entry is created on the screen for each transmitting station and its 
activity level. 
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Pair Counts 


CAPTURING Number of frames from the station 66:66:83 


Sun 66EZ5B 
DECnet6662F4 
EPVAX 
DECnet6a62F4 
NSMSA3 
DECnet66141D 
DECnet661D1C 
ICEMAN 

BATSE 
DECnet646631C 
SAM 


AGWSHB 
DECnet66841C 
STONES 
EPVAX3 
DECnet6FBBSA 
166 Good 
166 Frames accepted 


Pair Counts 


An entry is created on the screen for each pair of station conversations, 
including transmit and receive activity 
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4 Short/Runt 


ym Sun 461167 
DEC_Iv1i_Ro.. 
ABA8846168161 
DEC_lv2_Ro.. 
DEC_lvi_Ro.. 
DEC_lvi_Ro.. 
DEC_lvi_Ro.. 
ABAH84616413 
ABBHA461B4F 1 
DEC_lvi_Ro.. 
DEC_lvi_Ro.. 
ABG8H461391C 
DEC_lvi_Ro.. 
ABG884616A81 
DEC_lvi_Ro.. 
DEC_Traffi.. 


Br idge#277DB 
DECnet @8E7FC 
DECnet14D196 
EPVAXZ 
KinetxA7847 
DECnet462CF4 
DECnet@82B21 
DECnet@6FABA 
VIPER 

Br idgeA@BED3 
GALOIS 
NSMSA3 

cisco 646113 
AGWSAL 

Br idge#266A3 
DECnet664321 


@ Collision 
45 Kbytes accepted 


—t 


Broadcast 
SGI 6246FD3 
DEC_Traffi.. 
ABBH64616161 
Broadcast 
DEC_lv1i_Ro.. 
DEC_lv1i_Ro.. 
DECnet 6@8CC7 
ABBHH4616413 
Bridge_Gro.. 
DEC_LAT_Un.. 
ABHHH461DA88 
DEC_lvi_Br.. 
ABG60461391C 
Broadcast 
DEC_lvi_Ro.. 
6 Lost 


Sx Buffer utilization 


486 


1666 


Frames per second 
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CAPTURING 66:61:16 
be ee oR we Ses BR oe ee ee ee ES et os 


66:61:45 66:62:68 46:62:15 


#stns 
5646 Good 6 Short/Runt @ Collision 6 Bad CRC 6 Lost 
5646 Frames accepted 1144 Kbytes accepted 29% Buffer utilization 


t ———— 
486 1608 4800 16988 


Frames per second 
186 Stop 
apture 


Skylines 


A bar graph of network traffic and the number of active stations is 
displayed. The graph continually updates every second, minute, or hour, 
depending on the time scale selected. 
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Units of Measurement 


¢ Displaying Information about Frames 
— Traffic level bar graph (at bottom) is in Frames per second 
— Skylines are in Frames per second 
— Pair/Individual station counts are in Frames 


e Displaying Information about Kbytes 
— Traffic level bar graph is in Kbytes per second 
— Skylines are in Kbytes per second 
— Pair/Individual station counts are in Kbytes 


¢ Displaying Information about Network Util % 
— Traffic level bar graph is in percentage of network utilization 
— Skylines are in Kbytes per second 
— Pair/Individual station counts are in Kbytes 
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Exercise (Ethernet) - 

Objective: Practice using standard capture screen formats. There's no need to 7 
display the data. Just capturing provides you with enough information - 

about the network traffic to complete the exercise. a 

1. After resetting system defaults, start the Ethernet Network Analyzer and set the - 
Capture mode to Classic Mode. 

2. Set capture screen format to show Pair Counts and Frame counts when capturing. - 


3. Set the capture From field to C:\CAPTURE\TC101C\NOVELL.ENC. - 


4. Press F10 and the Enter key to start the capture. Hint: Depressing the Alt key while 
capturing from a file will speed up capturing. 


5. When you see <ENDFILE*, write the number of frames between station pairs: a 
3Com 119421 3Com 217692 se} 
3Com 119326 3Com 217692 
3Com 217692 Broadcast “ 
Why are there no values in the last location? oe 

6. Press F6 to go to the Capture Options menu. Change the capture format to ~ 
Individual Counts. Press F10 and the Enter key to recapture the file showing eas 
individual counts. Network _ 
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Exercise (continued) 


7. After you see ~ENDFILE~, enter the number of frames from the station: 


3Com 119421 
3Com 217692 
3Com 119326 


8. Using the information you gathered in step 5, explain why 3Com217692 has a total 
of 237 frames? 


9. Press F6 to return to the Capture Options menu. 


10. Set the capture menu to Show NW usage and verify that the default, Log bar scale 
is properly set. Start a continuous capture by depressing SHIFT and F10 together 
and then Enter. 


11. After a few seconds, indicate where the bar peaks on the Network Utilization scale 


below: 4g, 25% 1% 25% 10% 25% 100% 
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Exercise (continued) 


Pause the capture by pressing F9 and then display the capture options menu by 
pressing F6. Change the selection to indicate Linear bar scale and press F9 
to resume capturing. 


Indicate where the bar peaks in the Network Utilization scale below: 


0% 20% 40% 60% 80% 100% 


Compare the 2 scales you have just drawn. Which scale is preferable when 
capturing on a very busy network? 


These screens can help you to understand the 
characteristics of the network at this point in time. 
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Exercise (Token Ring) 


Objective: Practice using standard capture screen formats. There's no need to 
display the data. Just capturing provides you with enough information 
about the network traffic to complete the exercise. 


1. Start the Token Ring Network Analyzer and set the Capture mode to Classic Mode. 
2. Note the default capture screen format settings for this mode and mark them below. 
Show frame counts 


Show KByte counts 
Show NW usage 


Linear bar scale 


Log bar scale 


Expert window 
Individual counts 
Pair counts 
Skylines 


3. Set the capture From field to C:\CAPTURE\TC101C\SNAGATE.TRC. 
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4. Press F10 and the Enter key to start the capture. Hint: Depressing the Alt key 
while capturing from a file will speed up capturing. 


ay When you see ~ENDFILE*, write the number of frames between station pairs: 
IBM 0030E6 NetBIOS 
IBM 0030E6 Broadcast 
IBM 0007B8 IBM 0030E6 


Why are there no values in the first two locations on the right? 


6. Press F6 to go to the Capture Options menu. Change the screen format to 
Individual Counts. Press F10 and the Enter key to recapture the file showing 
individual counts. 
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Exercise (continued) 


7. After you see ~ENDFILE*, enter the number of frames from the station: 


IBM 0030E6 
IBM 0007B8 


8. Using the information you gathered in Step 5, explain why IBM 0030E6 has a total 
of 158 frames? 


9. Press F6 to return to the Capture Options menu. 
10. Set the screen format to Show NW usage with Log bar scale. 
Start a continuous capture by depressing SHIFT and F10 together and then Enter. 


11. After a few seconds, indicate where the bar peaks on the Network Utilization scale 


below: 
1% 25% 1% 2.5% 10% 25% 100% 
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Exercise (continued) 


12. Pause the capture by pressing F9 and then display the capture options menu by 
pressing F6. Change the selection to indicate Linear bar scale and press F9 
to resume capturing. 


Indicate where the bar peaks in the Network Utilization scale below: 


0% 20% 40% 60% 80% 100% 


13. Compare the 2 scales you have just drawn. Which scale is preferable when 
capturing on a very busy network? 


These screens can help you to understand the 
characteristics of the network at this point in time. 
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Capture Frame Size 


Buffer = 5136K EXP! 
Frame size 

64 bytes 
Expert mode 128 bytes 
Classic mode 256 bytes 
Highspeed mode S12 bytes 

Whole frame 
Screen format 

ret 
Capture the first 32 bytes of each frame. 


Press SPACE to select this option 


e You can choose to truncate frames that exceed a certain 
length to fit more frames into the capture buffer. 


e The default is to capture the entire frame. 


e If “sliced” properly, nothing will be lost from the frame 
except user data. 
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Sniffer Capture Range 


Ethernet I 


Upper Layer Protocols and Data 


(46-1500) 


Sniffer Capture Range — 


IEEE 802.3 


Upper Layer Protocols 
and Data FCS 
(43-1497) (4) 


D>anY 
mRHA 


_Sniffer Capture Range _ 


IEEE 802.5 


Upper Layer Protocols and Data 
(Variable) 


| i Sniffer Capture Range | 
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MORY STATISTICS 


DOS data space: 268320 bytes 
Expanded memory: 5259264 bytes, 5259264 contiguous 
Capture buffer: 5259264 bytes (Expanded memory) 


DOS ram heap: 5 regions, 266224 butes 
High ram heap: 3 regions, 98264 bytes 
part: 5S regions, 266184 bytes 


heap: pieces, 2816 bytes 
heap: pieces, 361632 bytes 
part: pieces, min 4306, max 65532 
Restricted part: pieces, min 16388, max 62700 
Last request: bytes 


Stack: % in use now, 37% max 


Press any ke 
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Frame Size Example: 
Same Buffer... More Frames 


... 8,000 Frames ... 32,000 Frames 


Whole Frame Selected 256 Byte Frame Slicing Selected 
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Swiffer University™ 


Exercise (Ethernet) 


Objective: Determine at what frame size the Sniffer Analyzer can 
completely decode the Network File System (NFS) protocol. 


Background: The NFS session in this trace file is part of file operations 
during a compiler’s execution. 


1. After resetting system defaults, capture from the trace file 
C:\CAPTURE\TC101C\TCPIP.ENC. Press F10 to start the Capture. Hint: 
Holding down the Alt key speeds up the capture. 


2. Press F3 to display the data. Notice that NFS is the highest layer protocol displayed 
in frames 1-3, as well as other frames. 


3. Press F5 to go to the menus. From the Capture menu, select a Frame size slice of 32 
bytes. Press F10 to re-capture. Press F3 to display the data. Does the Sniffer 
Analyzer show NFS? 


4. Increase the frame size, and re-capture the file until the decode is complete. 


5. At what frame size can the Sniffer Analyzer completely decode the NFS header? 
6. On the following diagram, outline the 32, 64, 128, and 256 byte “slices”. 
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Exercise (Ethernet), continued 


DLC 


DA SA Type Upper Layer Protocols and Data 
(6) (6) (2) (176) 


Version - 4 bits 


THL - 4 bits 

‘Type of Service (1) 

Total Length (2) Ey Upper Layer Protocols and Data 
Identification (2) L (156) 

Flags - 3 bits » 


Frag. Offset - 13 bits 


Upper Layer Protocols and Data 
(148) 


File Handle (32) File Name (16) 
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Sniffer University os 
————— ee © ery, 
Exercise (Token Ring) 

Objective: Determine at what frame size the Sniffer Analyzer can 
completely decode the Network File System (NFS) protocol. 
Background: The NFS session in this trace file is part of file operations 


during a compiler’s execution. 


1. After resetting system defaults, capture from the trace file 
C:\CAPTURE\TC101C\TCPIP.TRC. Press F10 to Capture. 
Hint: Holding down the Alt key speeds up the capture. 


2. Press F3 to display the data. Notice that NFS is the highest layer protocol displayed 
in frames 1-3, as well as other frames. 


3. Press F5 to go to the menus. From the Capture menu, select a Frame size slice of 32 
bytes. Press F10 to re-capture. Press F3 to display the data. Does the Sniffer 
Analyzer show NFS? 


4. Increase the frame size, and re-capture the file until the decode is complete. 


5. At what frame size can the Sniffer Analyzer completely decode the NFS header? 
6. On the following diagram, sketch the 32, 64, 128, and 256 byte “slices”’. 
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Exercise (Token Ring), continued 


a DIC LL SNAPY 


C} Vendor |, Upper Layer Protocols and Data 
1] Specific tay 
yg |? (208) 


P——____ 


(6) 


Sua 
— 
son] 
Es 
js 
g 
ssa 
SUP nwn 


Version - 4 bits 
THL- 4 bits ey 
Type of Service (1) he 
Total Length (2) Fed fo] Cesc crea ler svcarsa Upper Layer Protocols and Data 
Identification (2) Lhe od ard nea ae) 
Flags - 3 bits Jo 
Frag, Offset - 13 bits 7 
Sro [Dei Len} Chk Upper Layer Protocols and Data 
Portj Port| 2)} 2) (180) 
(2)] 2) 
RPC "Call" Header ———$——____ 
TID | Type | Ver Program Proc NFS "Data" 
(4) (4) 4) (8) 4) (80) 


. " Modification 
Mode | UID GID | Size | Access Time 
ibe a " 


Ss NFS "Data" (Command) 
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Working With Files 


ret 

J Capture filters 
J Trigger 

Network x Schedule 

General : Capture 

Display 

Ethernet Expert config 
Expert Sniffer Files Load 
Network Analyzer Options Save 


Exit Change path 4 
Version 4.46 Delete data file <4 
Make directory 41 


(C) Copyright 
1986 - 1994 


Load and save data or setups. 


se the arrow keys to move around in the menu 


e Saving Captured Frames (“Trace”’ Files) 
¢ Loading and Replaying Trace Files 
e File Maintenance 
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Saving Captured Frames (Trace Files) 


To save frames in the capture buffer to disk: 
1. Select Filters in Display Options as desired. 
2. Select the frame numbers to save. 
3. Select Filtered as desired. 
4 


Press Enter and enter an 8-character file name without 
extension and path. Note: the default option is to 
compress the file to save disk space. 


Capture Buffer 


Display 


NOTE: Trace files are referred to as Data files within the Analzyer’s menu tree. 
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Loading and Replaying Trace Files 


Loading Trace Files From Files Menu 
1. Under the Files menu, 
2. Select Load, Data, Return and choose file. 
3. After Loaded, press F3 to display the contents. 


Replaying Trace Files - to view statistics as they occurred Y_> Capture 
Filters 
1. Under the Capture menu, 


Press Enter on From <Ethernet>. 


3. Select a data file and press Enter. 
4. 


Press F10 to capture from the file. 


From Capture Menu 
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File Maintenance 


¢ Moving Through the Directory Structure 
FILES\CHANGE PATH 


¢ Deleting Unneeded Trace Files 
FILES\DELETE DATA FILE 


e Creating New Directories 
FILES\MAKE DIRECTORY 
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Under Expert config choose to enable or disable 
Recycle objects. 
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Section Summary 


What is a Capture? 
Capture options 

— Mode 

— Source 

— Screen format 

— Frame size 
File maintenance 

— Saving 

— Retrieving 
Handling low memory 
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Displaying 


Captured Traffic 
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Section Objectives 


e Identify how to move between and within 
views 


e Introduce display windows 
— Expert view 
— Summary view 
— Detail view 
— Hexadecimal view 
e Learn how to: 
— Search for frames 
— Manage names 
— Print 
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DPD? DD > 2: 


3393 


) 


pd 


Cable tester 
Traffic generator 
Capture filters 
Trigger 
Schedule 
Capture 
Display 
Expert config 
Files 

Options 

Exit 


x Frame editing 
Manage names 
¢ Filters 


x Detail 

x Hex 

x Two viewports 
Name width = 15 


Print 
¥ Protocol forcing 


EBCDIC characters 


ASCIl characters 
| Dynamic mode 


x ASCII parity 


dd 
d 
< 
< 
¢ 
dd 
<a 
dd 


If <never> 

Addr <any station> 
Addr <any station> 
Port = <any> 

Port = <any> 
Pattern match 


Skip 000 bytes 
Then <none> 
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¥ Broadcast 
¥ Specific 


Edit names 

Clear all names 
¥ Look fornames 

Resolve names 
x Save names 


Address level 

Destination class 

Station address 

Protocol * 

Pattern match 
yNetwork object 
x Symptom frames 


X Selected frames 
v Symptoms 


x Alllayers 
x DLC addresses 
x Two-station format 


Good frames 
Bad CRC frames 
¥ Short frames 


Collision frames 
x Flags 


x Absolute time 

Y¥ Deltatime 

x Relative time 

x Bytes 

x Cumulative bytes 
x NWutilization 


1 msec window 

10 msec window 
100 msec window 
1000 msec window 


From first frame 


If From frame 1 @ 


To last frame 
If To frame 1 dd 


Device COM1 


Device LPT1 
| File 


Plain text format 
CSV (spreadsheet) 


*- See Appendix for complete listing 
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¥ DLC 

x IP 

x ISO 

x DRP 

x VINES 

x ATALK 

x X25_LCN 
X X25_Call 
x SNA 

x XNS 


From <any station> 
To <any station> 


{ Match1 
yMatch2 4 
yMatch3 4 
y Match4 
Others 


Y Reverse direction 


Include these 
Exclude these 


Include these 
[ Exclude these 
Y Match1 Pi 
AND 
Ib on 


os | Frame-relative 
y Match2 


Data-relative 


if Match 
Don't match 
Match 3 4 

i AND x Either offset 


R 
Ss Pattern = XXXX 


Offset = 000 

AND 
| OR 

Pattern = XXXX 

Offset = 000 


Y Match 4 


Character 


| Hexadecimal 
Binary 


’ ‘ ‘ ©Cc ight 1990 - 1994 Network General Ci ition. All rights ed. 
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OC) 


Use of Color 


Physical Level Protocols 


Fragmentation Protocols le ited 
Link Level Protocols | Brown 


w {NY me i 
ro) 
o 
oe 


Brown 
i 


Session Level Protocols g 
Light Red 


7 
7 
Management Layers 


1+ 


Light Blue 


N 
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Moving Between and Within Views 


Toggles between the Expert and Call the Display Options 


Summary Windows menu. 
4 Zooms in on the selected atid Moves the cursor to the 
endow. previous frame. 
Moves between open Fg Moves the cursor to the next 
Tab >| ; frame. 
|< windows. 
Moves the cursor up, down, left, or 
right within the current screen. If the 


information to display is larger than the 


Sniffer’s screen, the arrow keys allow 
you to view the off screen information. 


© 
Network 
General 


Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Displaying Captured Traffic - 5 


121 


Swiffer Universitym 


_<$<—————————————— 


F1: 
F2: 


F3: 
F3: 
F4: 


F4: 
F5: 
F6: 


F7: 
F8: 
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Display Function Keys 


Help/Explain 


Set mark 


Expert window 
Data display 


Zoom in 


Zoom out 
Menus 


Display options 


Previous frame 


Next frame 


Shows Indexed Help in most displays. The Explain screen 


explains whatever is highlighted in the Expert window. 


Marks a frame so that Relative time and cumulative bytes will 


increment from that frame. 
While in Data display, brings up the Expert window 
While in the Expert window, brings up Data displays 


When showing multiple data windows, fills the screen with the 


selected window. 


When zoomed in, returns the screen to multiple windows. 


Returns the screen to the Main Menu. 


Brings up the Display Options menu. Most display functions 


are controlled through this menu. 
Scrolls cursor back to the previous frame. 


Scrolls cursor forward to the next frame. 
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Function and Movement Keys (continued) 


F9: Select frame Allows you to pick and choose any frames for selection. These 
could then be filtered and saved to a file, for example. 


F10: New capture Starts a new capture session, wiping out the present buffer contents. 
Tab / Shift Tab Selects the next / previous active data display window. 

TL <«-— Arrows Scrolls lines vertically and horizontally within a window. 

PgUp / PgDn Scrolls lines up /down a window full at a time within a window. 
Home / End Moves the cursor to the top / bottom of the window. 

Ctrl — > Move the window contents all the way to the left / right. 


Ctrl PgUp/Ctrl PgDn In the Detail and Hex windows only, functions like F7 / F8. 


Ctrl Home/Ctrl End In the Detail and Hex windows only, functions like Home and End. 
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Summary 


HEX / 
ASCII / 
EBCDIC 


Two 
viewports 
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Display Windows 


Displays Expert’s diagnoses, symptoms, and objects. This will based on 
analysis of traffic seen during capture, or just the contents of the buffer if 
the buffer was simply loaded. 


Displays a single line for highest level interpreted. This allows you to 
examine a number of frames at once. It is often useful in locating a 
problem spanning many frames. 


Displays all interpreted information for the frame highlighted in the 
summary window. This gives additional information about the frame 
contents and protocols to pinpoint a problem. 


Displays the entire contents of the frame in HEX and ASCII or EBCDIC. 
Also shows the offset numbers within the frame. This is useful for 
manually decoding frames or viewing the data portion of the frame. 


Splits the Sniffer Analyzer’s screen into two independent viewing areas. 
The left and right sides can look at two different locations in the capture 
buffer. Frame comparison is easy to perform when using this option. 
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Expert View 


UMMARY—Delta T—DST- SRC. 
1 Broadcast «IBM  664B6D MAC Active Monitor Present 
Z 4.628 Broadcast «NestarSS7DBa MAC Standby Monitor Presen 
3 4.821 Broadcast «IBM 6629B1 MAC Standby Monitor Presen 
4 4.617 Broadcast «Nestar#@4661 MAC Standby Monitor Presen 
Expert Overview 


Ob jects | Symptoms Diagnoses 


Applications 4 6 a) 


Connect ions 6 6 


Network Stations 4 8 
Subnet Pairs 


DLC Stations 


Global Symptoms 


The Expert View shows network objects, symptoms, and 
diagnoses identified by the Expert analyzer 
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Summary View 


SUMMARY—Delta T—DST. 


SRC 


1 Broadcast 
.626 Broadcast 
-821 Broadcast 
-617 Broadcast 
-618 Broadcast 
.666 Caa618888888 
611 IBM 664BF1i 
. 166 IBM 664BF1i 
617 Nestar557DB8 
412 IBM 664BF1 
821 Nestar557DB0 
-891 Broadcast 
-4618 Broadcast 
.613 Broadcast 
-615 Broadcast 
-819 Broadcast 
218 Caas1 68888888 
611 IBM @64BF1i 
616 IBM 664BF1i 
618 NestarS57DB6 


Set eSExper 
mark windo 


SBeongeoocveoqroqqer7ro eqs 


3 
4 
5 
6 
7 
8 
93 
16 
11 
12 
13 
14 
15 
16 
17 
18 
19 
26 


i 
Help 


«IBM 664B6D MAC Active Monitor Present 
«Nestar557DB6 MAC Standby Monitor Presen 
«IBM 6629B1 MAC Standby Monitor Presen 
«Nestar#66661 MAC Standby Monitor Presen 
«IBM O664BF1 MAC Standby Monitor Presen 
«IBN 664BF1i DSAP=86, UI frame 
«Nestar557DB6 DSAP=86, UI frame 
«Nestar557DB0 DSAP=86, UI frame 
«IBM 664BF1 DSAP=86, UI frame 
«Nestar557DBA6 DSAP=86, UI frame 
«IBM 684BF1i DSAP=86, UI frame 
«IBM 664B6D MAC Active Monitor Present 
«Nestar557DBA MAC Standby Monitor Presen 
«IBM 6629B1 MAC Standby Monitor Presen 
«Nestar466601 MAC Standby Monitor Presen 
«IBM 664BF1 MAC Standby Monitor Presen 
«IBM 464BF1 DSAP=86, UI frame 
«Nestar557DBa DSAP=86, UI frame 
«Nestar557DBa DSAP=86, UI frame 


«IBM 664BF1 
Frame 1 of 51 


Displ 
fopt ion: 


Prev 
frame 


DSAP=86, UI frame 


Next Selecti#16 New 
fra frame apture} 


The Summary View shows either a one-line summary of each 
frame or several lines, with one line for each protocol level 
within the frame. 
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Summary View Formats 


Symptoms Displays the last symptom (if any) found for the frames 
displayed. 
All layers Displays all protocol layers for the frames in the 


Summary window, instead of the highest layer protocol. 


DLC addresses Displays the DLC addresses for frames in the DST and 
SRC columns, instead of the frames’ network layer 
addresses. 


Two station format Using the first station conversation in the trace and 
displaying their addresses at the top of the screen, their 
frames are decoded and displayed on alternate sides of 
the screen. This is useful for viewing commands and 
responses between two stations. 
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Summary View Options 


Flags 


Absolute Time 
Delta Time 
Relative Time 
Bytes 
Cumulative Bytes 


NW % Utilization 
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Symbols are used to show different 
characteristics of a frame 


Exact system time (on the receiving Sniffer) 
The time interval between packets 

The time from the Mark to all other frames 
Number of bytes in the frame 

Number of cumulative bytes from the Mark 


Estimate of % utilization of network 
bandwidth, reported as a moving average 
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Swiffer Usiversity™ 


Flag Symbols 


M Indicates which frame is the Mark frame. 


T The frame defined as the trigger event. 


4 The frame is protocol forced. Multiple arrows indicate multiple protocol forces are 
applied to the frame. 


This frame was edited. 

The Expert analyzer has associated a symptom with this frame. 
This frame was selected by the user, by pressing F9. 

CRC error was detected in this frame. (Ethernet) 

This is a Short/Runt frame. (Ethernet) 


Lost frames indicator. Frames preceding this frame were lost before they could be 
fully processed. 


rwWown + tf 


O Overrun indicator. The frame that preceded this frame was corrupted due to an error 
in memory transfer. This may happen on extremely loaded networks with small 
frames. (Ethernet) 


X Collision indicator. The frame that preceded this frame is the result of a collision, if 
the collision happened after the preamble (Ethernet-II card only) 
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Selecting Time Setup Options 


Absolute Time 
— The time of day (HH:MM:SS.0000) for each frame 


— Used when the actual time of day is required. Be sure to 
set the Sniffer’s date and time by going into DOS and 
executing the DATE and TIME commands. 


Delta Time 


— The time interval between the displayed frames 


— Useful for viewing how quickly nodes are transmitting 
between frames and for seeing a server’s turnaround time 


Relative Time 
— The time interval between the Marked frame and the 
current frame. Press F2 to mark a frame. 


— You can find the time span over a number of frames in 
order to make response time and throughput measurements 
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Packet Size Data 


e Packet Size (Bytes) 


Useful for general information and when looking for 
packet size efficiency of the protocol or network. 


e Cumulative Bytes 


This allows you to Mark (F2) a frame and all packet 
sizes will be added together following the marked frame. 
One good example of using Cumulative Bytes is to filter 
on a communications session between two stations and 
determine how many bytes were used to accomplish a 
given procedure or operation. 
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Window Size Example NW Util 


1 msec 12.38% 
10 msec 1.36% 
Default _ 100 msec 0.27% 


1000 msec 0.02% 
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Sniffer University © case 
Detail View 


Frame 1 arrived at 19:66:54.649; frame size is 32 (6826 hex) bytes. 
AC: Frame priority @, Reservation priority @, Monitor count 4 

FC: MAC frame, PCF attention code: Active monitor present 

FS: Addr recognized indicators: 11, Frame copied indicators: 11 
Destination = BROADCAST COOQFFFFFFFF, Broadcast 

Source = Station IBM 46486) 


MAC Command: Active Monitor Present 

Source: Ring station, Destination: Ring station 
Subvector type: Physical Drop Number 66666068 
Subvector type: Upstream Neighbor Address IBM G64BF1 


The Detail View shows the contents of the interpreted protocols 
within the frame, including the fields and parameters within 
each protocol. 
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Hexadecimal View 


NT “/LIB/ IBMPC/D 
08,L: 


The Hexadecimal View shows all bytes within the frame to 
provide a record of the received data. 
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Hexadecimal View 
Text Display Options 


e ASCIT/EBCDIC / Dynamic mode 
Show the frame data as either ASCII or EBCDIC characters. 


Dynamic mode lets the Sniffer Analyzer automatically decide if 
characters should be displayed as ASCH or EBCDIC. 


e ASCII parity bit 


Default is that the 8th (high order) bit of each character is considered 
part of the character and is not ignored. For example, 41 (Hex) is 
displayed as an A, but C1 (Hex) is displayed as a period since it is a 
non-"displayable" character. 


If you work with a protocol that always uses the 8th bit for parity, you 
can tell the Sniffer Analyzer to ignore the 8th bit. Then a 41 (Hex) or 
a C1 (Hex) are both displayed as the character A. 


O 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Displaying Captured Traffic - 19 General 


135 


Swiffer University 


O_—————————————— 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Two Viewports 


J 


J 


UMMARY—Delta T—DST. SUMMARY—Delta T—DST- 
Broadcast 15 46.615 Broadcast 

426 Broadcast 16 .619 Broadcast 
621 Broadcast 17 .2168 CaaH 18888088 
-617 Broadcast 18 611 IBM G@4BF1i 
.818 Broadcast 19 -616 IBM 664BF1i 
-666 Cees 18888888 20 -618 Nestar557DB0 
-611 IBM 664BF1 21 -618 IBM G64BF1i 
. 166 IBM 664BF1i 22 681 Nestar557DB0 
617 Nestar557DB@ 23 614 IBM O64BF1 
Frame 1 of 51 Frame 15 of 51 

DETAIL: 

MAC data MAC: MAC data 
MAC: 

MAC Command: Active Monitor Pr MAC: MAC Command: Standby Monitor P 

Source: Ring station, Destinat MAC: Source: Ring station, Destinat 

Subvector type: Physical Drop MAC: Subvector type: Physical Drop 

Subvector type: Upstream Neigh MAC: Subvector type: Upstream Neigh 


The Two Viewports option allows you to look at two different 
frames simultaneously, in up to six different views. 
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Exercise (Ethernet) 


Objective: Use the Summary and Detail windows to determine why a 
user can’t log on to a Novell server on the first try. 


1. Load (FILES\LOAD\DATA) from the file 
C:\CAPTURE\TC101C\NOVELL.ENC. 


2. Press F3 to display the data. In the summary window, notice the following 
conversation: 


The workstation DAN tries to verify Dan’s password. 
The server S1 says the password verification failed. 
The workstation tries to verify Dan’s password again. 
This time the server says “OK”. 


3. Press F6 to view the Display Options menu. Turn on the Detail Window. Press 
F3 to go back to the display. 


4. TAB into the Detail window. Once you’re in the Detail window, you can use F8 
(Next frame) to look at frames beyond frame 1. 


5. Compare the Detail window for frames 1 and 3. Why do you think the password 
verification failed the first time? 


© 
Network 
General 


Displaying Captured Traffic - 21 


Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 


137 


“9M © Copyright 1990 - 1994 Network General Corporation. All rights reserved. am, 


Exercise (Token Ring) a 


Objective: Use the Summary, Detail and Hex windows to determine = 
the physical location of the devices in question. 
Background: This is a Novell NetWare network where a workstation ah 
called JAG is communicating with a server called CISO2. 
1. Load (FILES\LOAD\DATA) from the file es 
C:\CAPTURE\TC101C\DISPOPT.TRC. 
2. Press F3 to display the data and press PgDn to get to frame 52 quickly. Notice me 
that NetWare Core Protocol (NCP) is the highest layer protocol displayed. 
3. Press F6 for Display Options, turn on All layers in the Summary window, and ia 
turn on the Detail and Hex windows. 
4. In frame 52, workstation JAG is creating a connection with server CIS02, with ad 
JAG as the source and CIS02 as the destination address. What are the protocols 
that run beneath NCP? “ 
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OG) 
Exercise (continued) 


5. Turn All layers off. Tab into the Detail window and scroll up until you 
can see the Routing Indicators header. What type of source routed 
= broadcast is this frame? 


6. Press F8 twice to go to frame 54. In this frame, JAG is again sending a 
<> NCP packet to CIS02 to check the server version. Look for the Routing 
- Indicators in frame 54. Is there any routing information? What does this 
tell us about the physical location of JAG and CISO2? 


- 7. Study the NCP command and response in frames 58 and 59. What is 
unusual about this? 
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Searching for Frames 


Go to frame nn 
Search for text 


Search for pattern 
Jump to mark 


Jump to trigger 
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Enter frame #nn and go there 


Enter text and select where to search 


Summary: Finds interpreted text 
Detail: Finds interpreted text 
Frame data: Looks in frame data only 


Find a specified pattern in a frame 


Find mark 


Find trigger 
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Exercise (Ethernet) 


Objective: Use Display options to determine the efficiency of Telnet. 


1. After resetting system defaults, load from file 
C:\CAPTURE\TC101C\TCPIP.ENC and study frames 4 - 6. 


2. Turn on the Bytes and Cumulative bytes Summary window options. Turn on the 
Detail window too. 


3. What is the Telnet data sent by the workstation in frame 4? 
4, What is the response from the host? 
5. How large are the frames? 


6. Determine the total number of bytes necessary to send one character to the host ina 
Telnet session. Include all responses and acknowledgments. (Hint: remember to 
use the Set Mark option.) 


© 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Displaying Captured Traffic - 25 General 


141 


U. ‘ “4 mM © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Exercise (Token Ring) 
Objective: Use Display options to determine the efficiency of Telnet. 


1. After resetting system defaults, load from file 
C:\CAPTURE\TC101C\TCPIP.TRC and study frames 3 - 5. 


2. Turn on the Bytes and Cumulative bytes Summary window options. Turn on the 
detail window too. 


3. What is the Telnet data sent by the workstation in frame 3? 
4. What is the response from the host? 
5. How large are the frames? 


6. Determine the total number of bytes necessary to send one character to the host in a 
Telnet session. Include all responses and acknowledgments. (Hint: remember to 
use the Set Mark option.) 
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Response Time Measurement: 
a Practical Application of Display Options 


Various samples of response time measurements can be useful when 
troubleshooting, establishing a baseline, and analyzing performance on 
your network. Here is one procedure for finding workstation-to-server 
response time. 

Collect traffic between a workstation and a server. 

Identify a command to mark, and press F2 to Mark it. 

Turn on Relative Time, under summary window options. 


Find the response in the summary display window. 


eS Pe a 


Look at the relative time in the response. The relative 
time in the response will specify how much time has 
elapsed since the command that you marked. 


6. Record the relative time. 


7. When you suspect problems, try this procedure again and 
see if the response time has changed significantly. 
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Exercise (Ethernet) 


Objective: To use the Relative Time option to perform response time 
measurements of an NFS read command. 


Background: This is a trace of a multi-protocol network consisting of 
TCP/IP, DEC, AppleTalk, and U-B XNS protocols. We 
are concentrating on the NFS session initiated by cetusle. 


1. After resetting system defaults, load the file 
C:\CAPTURE\TC101C\TCPDEMO6.ENC. 


2. Press F3 twice to remove the Expert window and display the data. Press F6 and 
set Name Width to 18, turn on Relative time and Bytes, and turn off Delta time 
under Summary window options. Press F3 and note the difference in the display. 


3. Press F6 for Display Options and Search for the text cetusle in the Summary 
window. What is the frame number of the first frame sent by cetusle? 


4. Press F6 and Go to frame 262. You should find an NFS Read command asking 
server 128.169.200.40 for 8192 bytes of data. Press F2 to Mark this frame. 
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Exercise (continued) 


5. Examine frames 263 - 268. These frames contain the 8192 data bytes being sent 
by the server, but are divided up into 6 frames (1 NFS Response frame and 5 
UDP continuation frames). How long did it take to completely respond to the 
Read command? 


Hint: The last fragment of this data transfer occurs in frame 268. 


6. Now, Go to frame 630. This is also a Read command for 8192 bytes. Mark this 
frame. 


7. Examine frames 631 - 642. Just like in the previous Read command, the 
response is sent out using 6 frames. What is the response time for this Read 
command? 


8. Why are the response times different between these similar NFS commands? 
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Exercise (Token Ring) m 

Objective: To use the Relative time option to perform response time <3 

measurements of an NCP Lock File command. -” 

Background: This is a trace of a Novell NetWare network. We are a 

concentrating on Lock File Requests and the response " 

time for the request’s success. - 

1. Load and press F3 twice to display C:\CAPTURE\TC101C\CROSS.TRC. Ph 

2. Press F6 for Display options, set Name Width to 18, and Go to frame 217. This — 

frame is a Novell NetWare workstation/server conversation. Press F6 and move ~= 

to Manage names and Edit names to name the workstation WS and the server oes 
Server. 

Hint: The workstation sends Commands (C) and the server sends Responses (R). a 

3. Press F3 to re-display the data using the new names. 2 

4. Press F2 to set the Mark at frame 217. Press F6 for Display options, and turn on ya 

Relative time and turn off Delta time under Summary window options. Also nis 


turn on the Detail window. Press F3 to re-display the data. 
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(GE 
Exercise (continued) 


5. Notice that WS is attempting to lock a file in frame 217. In what frame does 
Server successfully lock that file? Hint: Look for the next frame where WS is 
the destination and Server is the source. 


6. What is the response time for this command? 


7. Goto frame 808. This is another NCP Lock command from WS to Server. 
Press F2 to set the Mark at frame 808, and then locate the response. What is the 
frame number, and what is the response time for this Lock command? 


8. Why are the response times different between these similar NCP commands? 
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OP 
What’s in a Name? 


In an effort to make the Analyzer screens more 
“readable”, names associated with captured addresses are ee 
displayed in place of network or DLC addresses. pee 


The names are discovered automatically by the Sniffer 
during initialization, capture, first display of data, and 
throughout display. 


The name information is stored in a Name Table which ~ 
contains the address layer, the station address, and the 
station name. 


The Name Table is an ASCII text file named ~- 
STARTUP.xxD found in the C:\xxSNIFF directory. - 
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Manage Names 


DISPLA Y\MANAGE NAMES\... 


Add, delete or change names 


Clear All Names Delete all current names. CAUTION! 

Look For Names Discover and assign names from within frame data. If 
checked, look for names automatically during capture. 

Resolve Names Read an existing name file to find names for unknown 
addresses 

Save Names Save the current name to disk. If enabled, save names 
automatically when exiting. 


Name Width Specifies the address field size from 6 to 31 


characters. IP addresses are up to 17 characters long, 


for example. 


See Appendix for sample Name Table (STARTUP.TRD). 
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Exercise (Ethernet) 


Objective: Review the Sniffer’s name management functions. 
1. Load and Display the trace file C:\CAPTURE\TC101C\TCPIP.ENC. 


2. Look at the NFS workstation and server conversation in frame 1. Is 
36.53.0.10 the workstation or the server? 


3. Press F6, move to Manage names, and select Edit names. Find IP address 
36.53.0.10 and press Enter to give that address the name Server. 


4. Press Esc and F3 to display the data and study the results. 


5. Select Manage names\Edit names and look for the name 
SUSHLSTANFORD.EDU. What is SUSHI.STANFORD.EDU’s IP 
address? Press Esc twice. 


6. To see how the Sniffer determined SUSHI’s IP address, Search for text on 
SUSHI. This frame you found is the Domain Name System (DNS) 
Command to look for SUSHILSTANFORD.EDU’ s IP address. 


7. Find the DNS Reply frame. Look at the Detail decode of the frame to see 
how the Sniffer found SUSHI’s IP address. 
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Exercise (Token Ring) 
Objective: Review the Sniffer’s name management functions. 
1. Load and Display the trace file C:\CAPTURE\TC101C\TCPIP.TRC. 


2. Look at the NFS workstation and server conversation in frame 1. Is 
36.53.0.10 the workstation or the server? 


3. Press F6, move to Manage names, and select Edit names. Find IP address 
36.53.0.10 and press Enter to give that address the name Server. 


4. Press Esc and F3 to display the data and study the results. 


5. Select Manage names\Edit names and look for the name 
SUSHI.STANFORD.EDU. What is SUSHI.STANFORD.EDU’s IP 
address? Press Esc twice. 


6. To see how the Sniffer determined SUSHI’s IP address, Search for text on 
SUSHI. This frame you found is the Domain Name System (DNS) 
Command to look for SUSHI.STANFORD.EDU’s IP address. 


7. Find the DNS Reply frame. Look at the Detail decode of the frame to see 
how the Sniffer found SUSHI’s IP address. 
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Printing Options Menu 


Cable tester <1 
Traffic generator <1 
Capture filters 
Trigger 

Schedule 


Expert conf ig 
Files 

Options 

Exit 


Summary 

Detail 

Hex 

Two viewports 

Name width = 15 <4 


Print as 


Protocol forcing 


r 


f 


ret 


To last frame 
To frame 936 


Device LPT1 
Device COM1 
File 


Plain text format 
CSU (spreadsheet) 


Print the capture data to a device or file 
using the currently selected display formats. 
ise the arrow keys to move, or ENTER to do this function 


3 Data 
isplay 
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(A 
Printing Methods 


Frame printing is found under Display options. 


The print contents is dependent upon which display options are set. The information showing 
on the screen is what gets printed. 


Example: To print the detail decode of all the protocol layers, as well as a hex dump of 
the frame, set these display options: Summary off, Detail on, Hex on, All layers 


on. 
Procedure: . Select display options. 


Select Print. 


1 
2 
3. Select a printer port or print to a file. 
3. Select the frames to be printed. 

4 


Select a print format; i.e. with or without titles, from the print submenu. 
Plain text format offers page titles and page size specification. Delimited, 
also known as CSV (Comma Separated Variable), puts frame data in a 
format suitable for importing to a database or spreadsheet without titles. 


5. Select page size desired. (number of lines appearing on one page; 
remember, this is a Plain text option only) 


Select Print, and press Enter. 


If printing to a file, you will be prompted for a file name. 
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Exercise: Printing Captured Frames 


Objective: To become familiar with printing functions on the Sniffer. 


Background: A user may require hard copy decode information for 
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documenting a problem for a vendor. Archiving of hard 
copy traces are also useful as part of baselining procedures. 


Load the trace file C:\CAPTURE\TC101C\TCPIP.XXC (where XX is EN = Ethernet or TR 
= Token Ring). Find the first NFS Read command given by mafalda. Press F2 to Mark this 
frame. 


The next frame is the NFS response sent by the server. Highlight the frame. 


Print the detail decode of all the layers in these two frames. Notice that the Sniffer Analyzer 
automatically fills in the From frame... and To frame... with the Mark and the 
highlighted frame respectively. 


Use page titles and default page size settings by first selecting Plain text format and then 
configuring those options as desired. 


Print to a file and specify your name as the filename. (it will append .PRN) Make note of the 
directory location for this file. 


Repeat the print, but in CSV format, using your name again. (it will append .CSV) 


See sample files in the appendix. 
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Exercise: Verify Print Files 


1. Exit the Sniffer . 


2. Select Return to DOS from the Main Selection Menu, or press Esc. 


3. When you see the DOS C:\> prompt, type: 
CD \CAPTURE\TC101C 
DIR *.PRN 
TYPE Your Name.PRN | MORE 


Look at the data you printed to a file - is it the way you selected? 


4. Type in TYPE Your Name.CSV | MORE to look at the CSV file you created. 
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Exercise: Examine System Files 


1. To get to the directory location of the system files, type: 
CD \ENSNIFF (for Ethernet) 
or 
CD \TRSNIFF (for Token Ring) 


DIR STARTUP.* 


2. Look at all the STARTUP files, by typing: 
TYPE <FileName> | MORE 
3. Verify the following file information (some of these may not exist yet), 
where xx is EN = Ethernet or TR = Token Ring: 
STARTUP.xxA — Advanced Monitor alarm thresholds 
STARTUP.xxB — Advanced Monitor option settings 
STARTUP.xxD -— Analyzer and Advanced Monitor name table 
STARTUP.xxI = — Analyzer and Advanced Monitor manufacturer ID’s for network cards 
STARTUP.xxT — Analyzer EtherType and 802.2 LLC Service Access Point (SAP) table 
STARTUP.xxV _— Expert Analyzer settings 


STARTUP.xxS = — Analyzer menu options when starting up: located in C:\CAPTURE 


4. To get back to the Main Selection Menu, type menu at the DOS prompt. 


N 
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Section Summary 


¢ Moving between and within views 
e Display windows 
— Expert view 
— Summary view 
— Detail view 
— Hexadecimal view 
e Searching for frames 
e Managing frames 
e Printing 


O 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Displaying Captured Traffic - 41 General 


157 


BERS eee Cee EAE ORE Oe ea eee ee 


158 


U. ’ © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Sw fr Vann 


Using Filters 


‘Troubleshooting with the Expert Sniffer Network Analyzer ~ 6/94 Rev. 4.4 Using Filters ~ 1 


159 


ons © Copyright 1950 - 44s Network Guntral Corperstion All nighte ntatned 
University a 


Section Objectives - 


¢ Define Filters ~ 
¢ Discuss the Use of Filters 


¢ Introduce Capture and Display Filter Options a 
— Common Filters - 
— Capture Exclusives 7 


— Display Exclusives 7 
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¢ What is a Filter? 


— A filter is a means by which you can limit the frames 
accepted into the capture buffer or included in the 
displayed information. 


e Why use Filters? 


— Filters can be used to “zoom” in on a particular issue 
while discarding all extraneous information. Such 
focus is helpful in troubleshooting, in baselining, and 
in learning about your network and its protocols. 


e What type of Filters are available? 
— Capture 


— Display 
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Capture Filters 


¥Y Broadcast 
Y Specific 


To 


x Known stns only 
x Unknown stns only 


¥Y Match 1 


¥ Match 2 = 
gl 


Destination class 
Station address 
Protocol 
Pattern Match 


¥Y Match 3 
Y Match 4 
Others 


¥ Good frames + Y LOOP E-ty 

“ pe 
J eed CRC“ + Y/Y Netmap TCP E-type 
v ort + Y/Y NetmapXNS_ “ 


Other E-type 


Covered in SNAP SAP 
this section BPDU * 


+ = Ethernet only NetBIOS (IBM) SAP 


Other SAP 
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From <any station> «ql 
<any station> 


Y/Y Reverse direction 


Include these 
Exclude 


Include others 
L Exclude “ 
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Known/Unknown Stations 


¢ The Unknown Stations filter allows you to easily locate and 
identify new or unauthorized physical addresses using the 
network. When this feature is invoked, the capture buffer 
accepts only frames going to and from such unknown addresses. 


e This filter can be employed to quickly find and name unknown 
users on the network. Once everyone has been named, it is used 
to search for new or unauthorized access. 


e The Known Stations filter allows you to filter out stations that 
don’t have aliases in the names table. By selecting who is in the 
names table, you can easily capture traffic from only these 
named stations by using this filter. 


O) 
Network 
‘Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 General 


163 


Swiffer University 


— A 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Destination Class Filters 


¢ Broadcast 


— Used to filter frames that are addressed to broadcast 


or multicast destinations. 


— Broadcast frames are designed to reach every station 


on a network. 


— Multicast frames are used to send information to a 


group of stations. 


— In Display Filters only, you can also filter on 


network layer broadcast addresses. 


e Specific 


— Used to filter frames containing a destination 
address to a specific station 
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From <SalesSrvr> ~=egl 
To <any station> <q 


Y Reverse direction 


Include these 
Exclude 


Include others 
Exclude “ 


e Up to 4 individual stations or pairs of stations can be filtered. 
The example above will capture traffic to or from SalesSrvr. 


e Reverse direction allows the filter to work on both sides of a 
conversation between two stations. 


e Each filter slot can be used to exclude stations instead. If this 
is used, make sure to change Others to include. Otherwise, 
you will filter out every station address. 
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Strategic Station Matching 


* The Station Address filters are evaluated in 
sequence, so their order is important to note. 


* EXAMPLE: 


Match 2 S1 to others 


Match 3 [Match 3] 


Source 


Address 


Match 1 S1ltoA Server-1 


Match 4 [Match 4] 
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Gateway A 
Server-1 <any> 
<any> a 
<any> <any> 


Address 
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Destination 


Reverse 
Direction 


Include / 
Exclude 


Yes Exclude 
Yes Include 
[Yes] [Include] 
[Yes] [Include] 


Exclude 
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A Note About the Name Table 


The Known Stations Only, Unknown Stations Only, and 
the Station Address filters all use the information contained 
within the Name Table. 


In order for these filters to work most effectively, the Name 
Table must be properly maintained. 


Commands to remember: 
DISPLAY\MANAGE NAMES\EDIT NAMES 
DISPLAY\MANAGE NAMES\LOOK FOR NAMES 
DISPLAY\MANAGE NAMES\SAVE NAMES 
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Protocol Filters - 
¢ Capture protocol filters 2 
— Limited to the protocol indicated in the Data 
Link header ~ 
— Ethertype: IP — 0800 (hex) -~ 
LAT — 6004 a 
— SAP: IP — 06 (hex) - 
SNA — 04, 05, 08, OC .: 
: 
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Capture Protocol Filter Options 


LOOP Etype 
Netmap TCP Etype 
Netmap XNS Etype 
XTP Etype 

IBMRT Etype 

IPX Etype 
NetWare Etype 
XNS Etype 

3Com NBP Etype 
IP Etype 

ARP Etype 

TRLR Etype 

PUP Etype 

PUP ARP Etype 
SNMP Etype 

MOP DL Etype 
MOP RC Etype 
DRP Etype 

LAT Etype 

LAVC Etype 

IP (VINES) Etype 
Loop (VINES) Etype 
Echo (VINES) Etype 


Token Ring does not utilize Etype filters. 
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LAP (Atalk) Etype 
ARP (Atalk) Etype 
Other Etype 

SNAP SAP 

BPDU SAP 
NetBIOS (IBM) SAP 
SNA SAP 

RPL SAP 

IBMNM SAP 

IPX SAP 
ISO/NetWare SAP 
NetWare SAP 
XNS SAP 

IP SAP 

LLC (VINES) SAP 
X.25 SAP 
ISO/NetWare SAP 
NetWare SAP 
XNS SAP 

IP SAP 

LLC (VINES) SAP 
X.25 SAP 

Other SAP 


© 
Network 
General 


169 


. - A © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Sn A Unive TM 


Pattern Matching 


Using a pattern matching system, the Sniffer can now perform functions based on a 
special sequence of data at a particular location into the frame. The pattern match can be 
used for triggering, capture filtering, display filtering, searching, and protocol forcing. 


Trigger Describes a Trigger event. 

Capture Create a filter to include/exclude frames from capture to the 
buffer. 

Display Create a filter to include/exclude frames from display. 

Search Find specific patterns within frames in the capture buffer. 


Protocol Forcing Create a special condition for invoking the protocol force. 


Example: Suppose you want to set a display filter to only show Novell Read 
commands. By looking at the Detail and Hex display of such a frame, you 
can see that the Request code is 72 (dec) or 48 (hex) at an offset of 32 
(hex) from the beginning of the frame. Enter the hexadecimal values in the 
Display filter pattern match section and press F3 to re-display. 
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The Pattern Match 


Frame-relative 
Data-relative 


Y Match1 ~@ql chee 


AND 
OR Don’t match 


Y Match2 ~@l Either offset 


Pattern = XXXxX... 
OR. Offset = 000 
AND 


- 
~<a! 
~<ql OR 
i me : Pattern = XXXxX... <q 

OR Offset = 000 ~<ql 


Y Match4 ~@l Hexadecimal 
Character 


Binary 


Defaults are shown in the diagram above. 
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Pattern Match Options 
¢ Match/Don’t match 


— Perform the function if the pattern is or is not matched 


Frame-relative 


Geiercintes — The same as a boolean NOT, and operates on each pattern 


individually 
Pr Match 
Don’t match 
x Either offset 
Pattern = XXXX... e Either offset 
Offset = 000 ’ ' 
a — When both patterns are used in a match section, also 
Pattern = XXXX... perform the function when the offsets for the patterns are 
Offset = 000 switched around 
r Nice — Example: A dual pattern match display filter is shown in 
Binary the left-hand box below. Either offset means that frames 
that satisfy either the left or right matches will be filtered. 


Pattern 23 (hex) Pattern 23 (hex) 
Offset 30 (hex) Offset 32 (hex) 
AND = |AND 


Pattern 420 (hex) 
Offset 32 (hex) 


Pattern 420 (hex) 


Offset 30 (hex) 
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Pattern Match Options (continued) 


e Data or Frame relative offset 
— Determines from which point the offset number of bytes is calculated (in hex) 


MAC Header Data ... 0800 — Pattern CRC 


nn 
| Offset — Frame Relative | 


MAC Header Data ... 0800 “— Pattern CRC 


| Offset — Data Relative | 


e AND/OR boolean logic 


— If two patterns are AND’ ed, both patterns must be found in the frame to pass 
— Iftwo patterns are OR’ ed, either pattern can be found in the frame to pass 


e Pattern format 


— Pattern can be specified in hexadecimal, character, or bit format 
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Pattern Copy and Paste Procedure 


To copy and paste a pattern match: 

Turn on the Summary, Detail and Hex windows. 

Identify the frame that contains the desired pattern. 

Tab to the Detail window and highlight the detail decoded pattern. 
Check the Hex window to make sure data bytes are highlighted. 

Press F6 (for Search/Display Filters) or F5 (for Trigger/Capture Filters). 
Go to the pattern match and choose Match 1, 2, 3 or 4. 


as Be PS SS 


Select a Pattern and press Enter. Press T (Up arrow) to paste the pattern 
that is currently highlighted in the Hex window, and then press Enter. 


8. Move down to Offset, press Enter, press T to paste the hexadecimal 
offset of the beginning of highlighted pattern, and press Enter. 


9. Name the pattern match, if you wish. 


10. Set up logical operations with additional pattern matches as desired. 
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Data Link Frame Filters (Ethernet) 


1. Short frames (Runts) 

— The frame is shorter than the minimum 60 bytes 
2. Bad CRC frames 

— The CRC is inconsistent with the data in the received frame 
3. Good frames 


— Frames without errors as listed above 
(if it passes 1. and 2., Good Frames is incremented) 


4. Collision frames 


— Collisions that occur either within the preamble or frame data 


The Sniffer Analyzer will attempt to decode a bad packet. 
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x Knoum stns only 


x Unknown stns only 

Traffic generator <1! 
J Capture filters J Broadcast 
J Trigger Station address ¥ Specific 
x Schedule Protocol 

Capture Pattern match 

Display 

Expert config 

Files 

Morel 
Filter on broadcast versus specific destination addresses. 


ise the arrow keys to move around in the menu 


16 New 
capture 
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Exercise (Token Ring) 


Objective: Practice using Sniffer pattern match capture filters. 


Background: Once a network manager is sure that the physical network is running 
smoothly, it becomes a nuisance to capture the Active Monitor 
Present (AMP) and Standby Monitor Present (SMP) Media Access 
Control frames when you’re only interested in seeing higher layer 
data. With this pattern match capture filter, you can save room in 
your capture buffer by filtering out all AMPs and SMPs. 


1. Capture from the file C:\CAPTURE\TC101C\CROSS.TRC. Press F10 to start 
capturing. When the capture finished, how many frames were captured? 


2. Press F3 to display the data with the Summary, Detail and Hex windows active. 
Find an Active Monitor Present frame. 


3. Highlight the Active Monitor Present decode in the Detail window. Check to make 
sure that part of the frame is also highlighted in the Hex window. 
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Exercise (continued) 


4. Press F5 to get back to the Main Menu, and move up to Capture filters. 


5. Select Match 1 in the pattern match capture filter. Paste in the AMP pattern by 
using the Up Arrow. Repeat the paste to enter the offset. Select Don’t match. 


6. Press F10 to recapture the trace file with the pattern match filter active. How 
many frames were captured this time? 


7. Confirm that the AMP frames have been filtered out of the capture buffer by 
displaying the data. 


8. Repeat the process to filter out all Standby Monitor Present frames as well as 
AMP frames. Re-capture the data. How many frames are accepted now? 
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University 


Display Filters 


Match 1 ~<a 
Match 2 <« 
Match 3 ~H 
Match 4 <« 


Others 


From <any station> <q 
To <any station> 


Station address 
Protocol 

Pattern Match 
Network object 
Symptom frames 
Selected frames 


Reverse direction 


Include these 
Exclude “ 


Include others 
Exclude “ 


Good frames 
Bad CRC frames 


Short frames 


Telnet * 

StreetTalk (VINES) 
RTMP (Atalk) 
NetWare * 


ANNAN 


Covered in 
this section 


Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 


+ = Ethernet only 


Network 
General 


il 


Using Filters - 21 


179 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Common Filters e 

e Some of the filter options are available as both capture ~ 
filters and display filters. Those options are: _ 

— Destination Class . 

— Station Address pa 

— Protocol* ~ 

— Pattern Match m3 

— Data Link Frames (Ethernet Only) _ 

* Higher level protocols are supported for the display protocol filter than the capture protocol filter. e 
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Protocol Filters 


e Display protocol filters 
— Ethertype 
— SAP 
— All "decodable" upper layer protocols, such as: 


NetBIOS, NetWare, UDP, NFS, FTAM, NICE, 
StreetTalk, ZIP 
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DLC 

RI 

LLC 

SNAP 
LOOP 
BPDU 
Netmap TCP 
Netmap XNS 
NGCP 


NetBIOS (IBM) 
SNA 

IRMA 

SMB 

RPL 

IBMRT 
IBMNM 

IPX 

ISO CLNP 
NetWare 
NetBIOS (NetWare) 
Diags (NetWare) 
SAP (NetWare) 
XNS 

3Com NBP 

IP 

ARP 

TRLR 

PUP 


SMTP 


DNS 


ISO ES-IS 
ISO Transport 
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ISO Session 
ISO Presentation 
ACSE 


X.400 (RTS) 
X.400 (P1) 
X.400 (P2) 
X.500 
NetBIOS (ISO) 
CMIP 

USPS 


NICE 
FOUND 
CTERM 
LAVC 

SCS 

IP (VINES) 
Loop (VINES) 
Echo (VINES) 
LLC (VINES) 
FRP (VINES) 


Seq ARP (VINES) 
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ARP (VINES) 

IPC (VINES) 

ICP (VINES) 

Seq RTP (VINES) 
RTP (VINES) 

SPP (VINES) 
NetRPC (VINES) 
StreetTalk (VINES) 
Mail (VINES) 

Ntwk Mngt (VINES) 
Svr Svc (VINES) 
PC Backend (VINES) 
VANGuard (VINES) 
Echotest (VINES) 
Router (VINES) 
FTP (VINES) 

File Svc (VINES) 
Talk (VINES) 
Async (VINES) 
DA-Collect (VINES) 
DA-Lookup (VINES) 
Deflector (VINES) 
Diagnostic (VINES) 
NetBIOS (VINES) 
Print Svc (VINES) 
Semaphore (VINES) 
SNA Sve (VINES) 
LAP (Atalk) 

DDP (Atalk) 

ARP (Atalk) 

ATP (Atalk) 

NBP (Atalk) 

RTMP (Atalk) 


ZIP (Atalk) 
ECHO (Atalk) 
ASP (Atalk) 
ADSP (Atalk) 
AFP (Atalk) 
PAP (Atalk) 
KSP (Atalk) 
STALK (Atalk) 
TOPS (Atalk) 
X Windows 


X.25 SNDCP 
QLLC 

Other SAP 
Other Etype 
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Address Level Filter 


e Address level filtering provides a quick way to 
filter on specific networking environments, by 
only allowing frames with specific network 
address types to be shown in the capture buffer. 


e The possible address types to filter on are: 
DLC IP IPX ISO 
DRP VINES AppleTalk X.25_LCN 
X.25_Call SNA XNS 
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Expert Display Filters 


e Network object 


Expert Sniffer filters on the object you have highlighted when you 
press F2 from the Expert window. Only frames that are relevant to 
the object, symptom, or diagnosis are displayed. 


To display all frames later, press Enter on the Network object filter 
option and delete the current object filter. To disable network object 
filters, press spacebar on Network object. 


e Symptom frames 
Only show frames for which there is a symptom or diagnosis. 


e Selected frames 


Frames in the capture buffer can be selected by pressing F9 when 
highlighting the frame. You will see an S flag on the left of a selected 
frame in the Summary window. Use the Selected frames filter to 
show only selected frames in the capture buffer. 
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Cable tester 4 
Traffic generator <! 
Capture filters 
Trigger 

Schedule 

Capture 

Display 

Expert config 

Files 

Options 

Exit 


x Frame editing 
Manage names 


SEFilters 


JV Expert 

JY Summary 

x Detail 

Hex 

Two viewports 
—More} 


x 
x 


Address level 
Destination class 
Station address 
Protocol 

Pattern match 
Network ob ject 41 
Symptom frames 
Selected frames 


Good frames 

Bad CRC frames 
Short frames 
Collision frames 


Set up filters for frames to be displayed. 
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Exercise (Ethernet) o 


Objective: Use pattern matching to isolate poor directory path settings. 


Background: After capturing a Sniffer trace of a user’s Novell NetWare login, 
you notice inefficiencies in the way the software searches for 


files. This user runs Saber, a popular menuing program. oe 

1. Load the trace file C:\CAPTURE\TC101C\NCP_LOG4.ENC. es 

2. Display the data with the Summary, Detail and Hex windows open. ~ 

3. Create a pattern match display filter to find all occurrences of Dir search _ 

commands. (Hint: In NCP, the type of command is specified by the Request code. ie 

Request Code = 63 means Dir search. Look at the Detail in frame 13.) Use the es 
Match 1 pattern match. 

4. Press F3 to display the data. Do you notice anything odd about the directory 2 

searches? " 

5. Turn Match 1 off and re-display the data. Now, create a pattern match filter to find so 

the OK responses. There is an example of this in frame 14. Highlight the line that - 

says Completion code = 00 (OK). Make this Match 3. _ 

6. Re-display the data. Unfortunately, Match 3 finds all OK response for all the NCP -— 

requests in the capture buffer. ~ 
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Exercise (cont’d) 


7. Tomake Match 3 more specific, we can combine it with another pattern match 
filter. So, make Match 4 a pattern that matches all SABER files, with any file 
extension. For this match, we will copy and paste the pattern in frame 14 that has 
File name = “SABER.CFG”’. Highlight that pattern it in the Detail window. 


8. Under Match 4, change the pattern from Hexadecimal to Character format, and 
then paste the pattern with the Up Arrow key. 


9. Wedon’t need the entire pattern this time; just SABER. To adjust this, change 
the characters after SABER to Don’t Cares (Alt-X). Press Enter to accept the 
pattern and then don’t forget to paste in the offset, too. 


10. Change the logic operator between the patterns to Match 3 AND Match 4. 


11. Re-display the data. This should give you all OK NCP replies for SABER.* files. 


12. Press F6 for Display options and turn on pattern Match 1 so you can determine 
how to improve things. 
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13. 


16. 
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Exercise (continued) 


Look at the detail decodes of the NCP commands that correspond to the OK 
responses. What is most often the directory access handle used in the 
successful Directory search commands? 


To determine what the path name is for the directory access handle in Question 
13, first turn off Match 1, 3 and 4. To determine the path name, look in the 
detail decode for frame 44. This frame is the server telling the client the 
directory access handle to use for a path name. You should see a directory 
access handle that is the same as your answer to question 13. 


To determine the path name, look in the detail decode for frame 43, which is 
the corresponding command for the response we looked at in Question 14. 
What is the path name? 


How would you improve things, either in the user’s path or placement of the 
files? 


188 


J 


PPRPIFIIIIITIIVY 


iT) 2) & © 28 2) S) i) Be > Be 2) ge Oo ED a> 2) Bd eS 


,339093 3 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Exercise (Token Ring) 


Objective: Use capture and display filters to determine how to eliminate 
unnecessary network traffic. 


Background: Users are complaining that it’s taking a long time for their 
Microsoft LAN Manager session to log on. 


1. Capture from the file C:\CAPTURE\TC101C\DNSETC.TRC. Press F10 to do 
the capture. 


2. Display the file without filters. How many frames are in this example? 


3. Look at the Domain Name System (DNS) traffic in frames 6-9, 12-17, etc. What 
name is 192.86.160.11 trying to find? 


4. Using a protocol display filter, filter out all traffic except DNS traffic. Does 
192.86.160.11 ever get a response to its DNS queries? (Hint: Use ALT+ Space 
to speed up the capture from file.) 


© 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Using Filters - 31 General 


189 


Con ’ } U. ’ ‘tym © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


0 —<$<$—<———————————— ON 


Exercise (continued) 
5. Is 192.86.160.11 the only station sending DNS name queries? 


6. Are the DNS queries going to all the Token Ring networks (across bridges?) 


7. Change your protocol display filter to show all protocols again. Find the DLC 
address for 192.86.160.11 by turning on DLC addresses. Now set up a Display 
DLC Station address filter for all traffic involving that DLC address. What else is 
this station doing besides sending DNS queries? 


8. Use a protocol capture filter to capture only the DNS frames. —_ Hint: look at the 
LLC layer of a DNS frame to determine how to set up your capture protocol filter. 
Compare it with other types of frames to find a unique filter for DNS. After 
setting up your filter, recapture the file. How many frames are DNS frames? 


9. Comparing your answer to Question 8 to your answer to Question 2, what 
percentage of your frames could be eliminated by turning DNS off? 
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Universi 


Exercise (Ethernet) 


Objective: Use both capture and display filters to investigate non- 
productive activities on the network. 


Background: You have heard that people are using Telnet for non-work- 
related activities. One particular user Dave (IP address 
137.28.108.11) is rumored to use Telnet for his own uses rather 
than work uses. 


1. Capture from the file C:\CAPTURE\TC101C\TCPDEMO6.ENC. Press 
F10 and use the Alt key to speed up the capture. 


2. Display the data. Press F6, turn Detail on, and set Name width to 18. Press F3 
to display the data again. 


3. Search for text on Dave’s IP address, 137.28.108.11. Which frame did it find? 


4. Notice that this frame is a Telnet packet from a Telnet host to 137.28.108.11. 
(Your text search was found in the Destination address). Look at the DLC 
layer for this frame in the Detail window. What are the source and destination 
DLC addresses for this frame? 
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Exercise (continued) 


5. Press F5 for the main menu and use Capture filters to set up a Station address 
filter for the conversation between the DLC addresses identified in the previous 
question. Press F10 to re-capture the file. 


6. Press F3 to display the data again. What are the different protocols displayed in the 
Summary window? 


7. Press F6 for Display Options and apply a protocol filter on Telnet. Zoom in on the 
Hex window. Use F8 to move through the next couple of frames. Does it look as 
though Dave is "taking care of business?" 


Extra Credit: Why do we see more than just Dave's session even after we captured with 
the Capture filter? Hint: What type of connectivity devices are being used to 
forward these "recreational" frames? 
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Section Summary 


e What’s a Filter? 
e When and why should you use Filters? 
e Capture and Display Filter Options 

— Common Filters 

— Capture Exclusives 


— Display Exclusives 
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sing Triggers 


Network 
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Section Objectives 


¢ Define Triggers 
¢ Outline Trigger Options 
— Expert Triggers 
— Pattern Match Triggers 
— External Trigger (COM1) 
— Error Frame Triggers 
¢ Examine Trigger-generated Events 
— Stop Capture 
— Disk Snapshot 
— External Signaling (COM1) 
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What is a Trigger? 


e “Triggers” are predefined events which have the 
ability to make the Sniffer stop a capture, save the 
contents of the capture buffer to disk, and / or signal to 
an external device. 


e The trigger options are: 
— Expert diagnoses 


— Pattern matches 


— External COM] serial port control leads 


— Error frames (specific to analyzer) 
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When a frame matches the trigger: 


— The Sniffer can stop the capture (at a 
user-definable point in the buffer) 


— The Sniffer can take a disk snapshot of 
frames, and then continue capturing with 
the trigger still active 


— The Sniffer can signal an external device 
through its serial port (COM1) 


You don’t always have to be at the Sniffer 
to get the information you need! 
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Enabling and Disabling Triggers 


NUS: 


2 Bad CRC frames 
Network Short frames 
General Cable tester 44 Oversized frames 

| Traffic generator <4! 


Ethernet J Capture filters External trigger 
Expert Sniffer J J Pattern trigger 


Network Analyzer x Schedule J Expert trigger 
Capture 


Version 4.48 Display Stop capture 
Expert config Disk snapshot 
CC) Copyright Files Trigger position 
1986 - 1994 Opt ions 
—Moret 
Set up a capture trigger. 


Press SPACE to enable (J) or disable (x Ctrl-space inverts all. 


Although enabled by default, no triggers are defined unless you specify them. If you 
do create one or more triggers, they can be temporarily disabled using the toggle 
switch (spacebar). 
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Defective Frame Triggers 


¢ Bad CRC frames 
e Short frames 
— A frame that is shorter than 60 bytes (the 
minimum size of an Ethernet frame, not counting 
the CRC). 
¢ Oversize frames (Ethernet Only) 


— A frame that is longer than 1514 bytes (the 
maximum size of an Ethernet frame, not counting 
the CRC). This may be due to a malfunctioning 
NIC or a Repeater that is streaming data. 


¢ Error frames (FDDI Only) 
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From COM1 
A change in Clear To Send (CTS) or CTS TL or 
Data Set Ready (DSR) sets off the — § TER th 


trigger. 


As the result of a trigger, the Sniffer Analyzer’s serial port 
(COM1) can be used to notify external devices. 


To COM1 


Inform another device that the Sniffer 
Analyzer has triggered. Toggle Request 
To Send (RTS) and assert Data Terminal 
Ready (DTR). The communicating 
device must be an autodial modem 
configured to call the desired number. 


RTS TL 
DTRT 
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Bad CRC frames 
Short frames 
Oversized frames 


External trigger 
Pattern trigger 
Expert trigger 


Stop capture 
Disk snapshot 
Trigger position 


4 


x Either offset 


= 466 
Pattern = XXxX... 
Offset = 668 


Hexadecimal 
Character 


E to 


Use this match? 


(Press Enter to change the name. ) 
enable (J) or able (x), or EN 


Similar in nature and configuration to the pattern match filters and 
the search for pattern commands, this options allows for “user 
definable” triggers. 
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Expert Triggers 


Set a trigger on a diagnosis at 
one of the following layers: 


e Application 


e Connection 


e Network station 
¢ DLC station 
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Application Layer Triggers 


e Slow file process 
(as defined by the Slow file % threshold) 


e Slow server 
(as defined by the Slow resp % threshold) 


¢ Loops on request 
Too many loops occurred on the same request 
(as defined by the Loop % thresholds) 

e File retrans 
(as defined by the Slow file % threshold) 


e Requests denied 
(as defined by the Denied req % threshold) 
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Connection Layer Triggers 


e Broken connection 
(as defined by the No responses threshold) 


e Retransmission 


Too many transport layer retransmissions occurred (as 
defined by the Retrans % threshold) 
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Network Layer Triggers 


¢ Duplicate address 

Two stations share the same network layer address 
¢ Local router 

A router is forwarding local traffic 


¢ Multiple routers 


Too many routers are being used to reach a remote 
station (as defined by the Mult routers threshold) 


¢ Subnet down 


All paths to an Appletalk subnet have being lost 
¢ Bad routing table 
Appletalk routing table has become corrupted 


¢ Subnet conflict 
Appletalk subnet ranges are in conflict 
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DLC Layer Triggers 


¢ Overloaded LAN 


Network in Overloaded LAN state for too long 
(as defined by the LAN overld % threshold) 


e Broadcast storm 


(as defined by the Broadcast dg threshold) 


e Physical error 


Too many error frames per second per station 
(as defined by the Physical err threshold) 
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Token Ring “MAC Layer” Triggers 


¢ Token ring entry 


Too many attempts by a station to enter the ring 
(as defined by the Ring entries threshold) 


e Ring purge 
(as defined by the Rng purge dg threshold) 
e RX congestion 


Too many receive congestion reports from a DLC station 
(as defined by the RX cong threshold) 


e Stn removed 


Too many station removal request frames 
(as defined by the Stn removed threshold) 


e Beaconing ring 
¢ Token ring burst 


Too many line/burst errors from a DLC station 
(as defined by the Ring errors threshold) 
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Processing Triggers 


You can specify multiple triggers simultaneously. 


Normally, whichever frame that fulfills a trigger condition 
first is considered the trigger frame and is marked as such. 


In some cases, a simpler Classic trigger received a very short 
time later than an Expert trigger, will be considered “the 
Trigger” because the analyzer processes triggers which 
require Expert analysis slower than those that do not. 
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Several options exist for stopping 
acapture. Triggers allow you to 
stop a capture automatically. 


¢ F10 (Stop Capture) 


¢ Under the Trigger menu, you can 
tell the Sniffer Analyzer to stop 
capture according to the Trigger 
position parameter. 


Under the Trigger menu, you can 
also tell the Sniffer Analyzer to 
stop capture when the memory 
buffer is full. 
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Trigger Disk Snapshot 


¢ Write to disk each time the specified trigger occurs. The trigger frame ends up 
positioned in the file according to the Trigger position parameter and the Size 


parameter. 

Trigger Can be a pattern match, expert or external trigger 

Trigger position 0%, 25%, 50%, 75%, 100% 

Size Number of Kbytes to be saved in each file (saved file size will be smaller if Compress files is 
enabled) 

Files Number of files to be saved 

Overwrite If maximum number of files has been saved, should we overwrite the existing files? If this is 
not turned on, capture will stop when the maximum number of files have been saved. 

Compress Save files in a compressed format. This helps conserve hard disk space and provides for larger 


floppy disk file transfers 


¢ Writes to SNAPI XXC, SNAP2.XXC, SNAP3.XXC ... in the C:\CAPTURE 
directory, where: XX is either EN for Ethernet or TR for Token Ring. 


e Disk snapshot only applies to a capture from the network and not to a capture 
from disk. 


If these files already exist from a previous capture 
session and the Overwrite option is turned off, the 
capture will stop with an error message. 
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0% pretrigger 


25% 
50% 


75% (default) 


100% 
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Exercise (Ethernet) 


Objective: Use a Trigger to catch the frames involved in a duplicate IP 
address. 


Background: It’s great that the Expert Analyzer can find duplicate IP 
addresses and inform you of the two DLC addresses involved. 
However, if you don’t keep track of all the DLC addresses in 
your networks, it may not help to just know the addresses. 
Looking at the captured traffic around the trigger event may 
help in finding the offending stations. 


1. After resetting system defaults, move to Trigger, Expert trigger, and Network 
station. Select the Duplicate address diagnosis trigger. Make sure Expert 
trigger is selected. 

2. Move to Trigger and select Stop capture. Select Stop at trigger. 

3. Move to Trigger and Trigger position. Select 50% pretrigger. 


4. Capture from the file C:\CAPTURE\TC101C\TCPDEMO6.ENC. Press F10 to 
start capturing. Hold Alt down to speed the capture. 
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Exercise (continued) 


5. You should hear a chime, and the top left of the screen should say TRIGGERED. 
Continue capturing until you see ENDFILE. 


6. Press F3 to display. Press F6 for Display options and Jump to trigger. Which 
frame is the Trigger frame? 


7. Examine the trigger frame, as well as the frame before it. What are the DLC 
addresses of the two stations that are sending the ARP Reply? 


8. What is the duplicate IP address that these two stations use? 


9. Press F3 to display the Expert window, and confirm that the IP duplicate address 
diagnosis reports the same information that you found in the capture buffer. 
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Exercise (Token Ring) 


Objective: Use a Trigger to catch the frames during a beaconing ring, to 
gather more information about the physical problem. 


Background: Users are complaining that their network connections time out 
now and then. You suspect it’s physical layer problems, but 
you aren’t sure when or why they happen. 


1. Move to Trigger, Expert trigger, and DLC station. Select the Beaconing ring 
diagnosis trigger. How can you be sure Expert trigger is selected? 


2. Move to Trigger and select Stop capture, Stop at trigger. 


3. Move to Trigger and Trigger position. Select 50% pretrigger. 


4. Capture from the file C:\CAPTURE\TC101C\BCNSPEED.TRC. Press F10 to 
start capturing. Hold Alt down, and watch the screen carefully for triggers. 
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Exercise (cont’d) 


5. You should hear a chime, and the top left of the screen should say TRIGGERED. 
Continue capturing until you see ENDFILE. 


6. Press F3 to display. Press F6 for Display options and Jump to trigger. Which 
frame is the Trigger frame? Is that frame a MAC Beacon frame? 


7. What is the address of the beaconing station? 


8. Turn on the Detail window and write down the Upstream Neighbor Address. 
Why is this address important? 
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Section Summary 


e What’s a Trigger? 
e Enabling and Disabling Triggers 
e Trigger Options 
— Expert Triggers 
— Pattern Match Triggers 
— External Trigger (COM1) 
— Error Frame Triggers 
e What happens when a Trigger occurs? 


— Stop Capture 
— Disk Snapshot 
— External Signaling (COM1) 
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Section Objectives os 


¢ Introduce the advanced features of the Sniffer 
Network Analyzer 


* Reference where in the Sniffer documentation further 
information on each topic can be found 
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Advanced Features 


e User explain messages 

e Scheduled events 

e Expert analyzer configuration 

e Saving expert data 

e Sniffer startup parameters and setup files 
e Protocol forcing 

e Frame editing 

e Generating network traffic 

¢ Network monitoring 


¢ Remote communications with the Sniffer 
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User Explain Messages 


User Explain Messages are context-sensitive explain messages that you create. 
They are displayed in conjunction with the Network General Expert Explain 
messages. 


UMMARY—De lta_T- 
1 (128.164 .224...«[128.104.224... TCP D=6808@ S=1305 SYN SEQ= 
2 6.6698 [128.164.224...«[128.164.224... TCP D=6866 S=1385 ACK= 
3 6.06635 [128.164.224...«[128.164.224... WIN C Comection Setup LS 
4 @.6168 [128.184.224...«[128.164.224... XWIN C Create GC Back=7 

Subnet Summary: 

Subnet 1 Subnet 2 Frames Hops Symps_ Protocol 

Area 66 Area 20 454 6 6 DRP 

[128.4] [126.1] 2 6 6 IP 


EXPERT EXPLAIN 


fe User text [context=subnets.summary; file = GLOBAL.TPL] =I 
2 ATTENTION: Remember to document ANY and ALL changes to 
the configuration in the change log in Michelle’s office? ' 


The packet count describes the activity between two subnets. The hop count 
is the distance between the two subnets (number of routers on the path). 
If the hop count is @, it indicates either a local subnet, or that no 
Routing Information Protocol (RIP) packets have been seen. 


The symptom count is the total number of symptoms occurring for the traffic 
between the subnets, on both the application and comection levels. Examine 
orelt———Use !T keys to move, or ESC to return. 


User Explain Messages are created at the command line using your favorite ASCII text 
editor. Additional information on User Explain Messages can be on pages 2-11 
through 2-13 in the Expert Sniffer Network Analyzer Operations manual. 
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Scheduled Events 


You can schedule your analyzer to automatically perform 
certain events within each week. Those events are: 


e Saving the Expert database 

e Saving the contents of the capture buffer 

¢ Clearing the Expert database and resetting global statistics 
¢ Clearing the analyzer’s name table 

e Loading the start up name table 


¢ Loading a new setup file 
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How Do You Schedule Events? 


¢ Select SCHEDULE from the Analyzer’s main menu and press 
<Enter>. 


e Press F2 to add a new event. 


e Specify when the scheduled event should occur by choosing 
Weekly Schedule from the Configure Event menu. 


e Specify the actions you want to occur at the scheduled time by 
choosing Actions from the Configure Event menu and toggling on 
each option. 


e After you’ve selected the times and actions you must select Exit 
and Update from the Configure Event menu to save the new event. 


Additional information on Scheduling Events can be found on pages 3-16 through 3-20 
in the Expert Sniffer Network Analyzer Operations manual. 
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Expert Analyzer Thresholds 


Customize the Analyzer’s diagnoses and symptoms by setting 
thresholds for the following layers: 


Application Related to the quality of sessions and file 
transfers 
Connection Refers to problems with connections, such as 


retransmissions, timeouts, keep alives 


Network Station Associated with network addressing and 
routing problems 


DLC Station Associated with problems such as broadcast 
storms and traffic bursts 
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Thresholds: Warning! 


The default thresholds supplied with the Expert Analyzer have 
been carefully calculated to ensure accurate and informative 
symptom and diagnosis detection. Before changing any 
thresholds, make sure you understand: 


1. How the Expert thresholds interact with one another 
to determine symptom and diagnosis detection. 


2. Your network. Don’t change Expert thresholds 
unless you are sure it’s appropriate for your network. 


If changed thresholds aren’t working correctly, 
reload factory defaults from the Options menu. 


OPTIONS\USE DEFAULTS 
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Set Subnet Masks 
(TCP/IP Only) 


* Tells the Sniffer Analyzer what IP subnet masks are used on your 
internetwork. 


¢ Tells the Sniffer Analyzer what default subnet masks to use for networks that 
you don’t specify. Specifying these configurations will help the Sniffer 
Analyzer correctly diagnose and display problems for your network. 


Example: 


On a Class B network 128.13.0.0, should a frame destined 
to the address 128.13.4.255 be considered a broadcast? 
The answer is Yes if your subnet mask is 255.255.255.0, 
and No if your subnet mask is 255.255.0.0. 
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Trustee Names 
(Novell NetWare Only) 


* Tells the Sniffer Analyzer about NetWare names that are used in a generic 
fashion on your network so that the Sniffer Analyzer won’t automatically 
assign these names to specific stations. 


¢ The Novell environment often uses trustee names to refer to groups of users 
during bindery requests. Since the Sniffer Analyzer is automatically 
learning symbolic names while capturing, a user that belongs to a trustee 
group may have its station address associated with the trustee group name. 


Examples: SUPERVISOR, CCMAIL, GUEST 
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Multiple Routers 


The Mult routers threshold 
specifies the maximum number of 
routers through which local traffic 
can be routed to a remote station 
before a diagnosis is generated. If 
a variety of routers are used to 
reach a remote station, this may be 
an indication of potential or actual 
routing problems. If you have 
routers that do load balancing, or if 
your stations dynamically learn 
about routers, multiple routers may 
be normal. In this case, set the 
threshold to 9 so you won’t get this 
diagnosis. 


Remote 
Server 
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DECnet issues 


° DEC hello — If the DECnet Hello timer is less than the value 
specified, the analyzer will trigger the Small hello timer 
symptom. DECnet uses Hello packets for neighbor identification. 
Too frequent Hello packets can result in high network overhead. 


* Duplicate % — percent of inconsistency in DECnet Hello timer to 
cause a Duplicate network address diagnosis. If the analyzer 
sees an inconsistency in the hello packet times, this is an 
indication of two stations using the same network address. 


Time 
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Broadcasts Per Second 
(Token-Ring Only) 


¢ Default is 40 broadcasts per second to trigger a diagnosis 
e During Ring-Poll each station broadcasts a Monitor Present frame 


¢ If there are more than 40 stations on the ring you will get a diagnosis every 
7 seconds when Ring-Poll occurs 


¢ To avoid the diagnosis occurring every 7 seconds: 


Set this value equal to the number of stations on the ring 
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Saving and Retrieving 
Expert Data Files 


When capturing on a network, the Analyzer creates a database of expert information 
pertaining to the current capture session. You can save some or all of this 
information into a .CSV file. The categories of data you can save are: 


* Current settings of Expert thresholds 

* Information from the Global Statistics screen 

¢ Information from the Expert Overview screen 

* Network Objects found during the current capture session 


* Diagnoses that occurred during the current capture session 


You store the Expert database by selecting FILES\SA VE\EXPERT DATA from the 
Analyzer’s main menu 


Additional information on the Expert database can be found on pages 8-17 and 8-18 
in the Expert Sniffer Network Analyzer Operations manual. 
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Sniffer Setup Files 


In addition to saving Expert data, you can save a desired combination of 
system options for future use. The contents of a setup file includes: 


¢ General system options, such as Interpret RI 
¢ Capture options 

¢ Capture filters 

¢ Trigger options 

¢ Display options 

¢ Display filters 

¢ Printer options 


¢ Protocol forcing rules 


Setup files do NOT include subnet names, trustee names, language 
settings, directory paths for file storage and retrieval, the contents of the 
capture buffer, or the name table. 
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Setup or Startup File? 


You can save multiple setup files for future use. What if you want one of those files to 
become your system’s defaults? No problem, the trick is in the name of the file, 
\xxSNIFF\STARTUP.xxS. Just follow these simple steps: 


Saving a Setup 
¢ Verify the desired settings. 


¢ Choose FILES\SAVE\SETUP from the Analyzer’s main menu and press 
<Enter>. 


¢ Type the filename of your choice (8 characters or less without an extension). 
Your setup will be stored in the \kxSNIFF directory with the *.xxS extension. 


Saving the Startup 
¢ Verify the desired settings. 


¢ Choose FILES\SAVE\SETUP from the Analyzer’s main menu and press 
<Enter>. 


¢ Type the filename STARTUP. Your setup will be stored in the \xxSNIFF 
directory with the *.xxS extension. 
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Using Setups 


To manually retrieve a setup file: 


¢ Choose FILES\LOAD\SETUP from the Analyzer’s main 
menu and press <Enter>. 


¢ In the dialog box that appears, select the desired setup file 
and press <Enter>. 


For additional information on setup files, see pages 8-19 through 8-21 in the 
Expert Sniffer Network Analyzer Operations manual. 
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Protocol Forcing 


Protocol Forcing tells the Sniffer Analyzer to see a 
protocol it knows how to decode but it cannot decode 


because: 


¢ The protocol is encapsulated in another protocol, 
for example for tunneling or encapsulating bridges. 


¢ The frames are illegal or damaged. 


¢ The protocol is non-standard. 


¢ The protocol cannot be recognized by the Sniffer 
Analyzer unless the session establishment sequence 
is captured. 
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Protocol Forcing Procedure 


Protocol forcing is carried out within the DISPLAY\PROTOCOL 
FORCING\ submenu off the Analyzer’s main menu. 


1. Choose a protocol to force from 

This is a protocol the Sniffer Analyzer can decode without any forcing. 
2. Specify rules 

Specify any rules or conditions for applying the protocol force. 
3. Choose a protocol to force to 


This is a protocol that the Sniffer Analyzer can decode once it applies 
your rules. 


For additional information on protocol forcing, see pages 9-3 through 9-12 in the 
Expert Sniffer Network Analyzer Operations manual. 
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Frame Editing 


The Sniffer Analyzer lets you edit captured frames for the 
following purposes: 


Traffic generation 
— Edit frames and send them back on the wire for troubleshooting 


e Analyzing damaged frames 


— Sometimes, when you make slight changes to a damaged frame, the 
frame might then make sense. 


Frame editing is enabled by toggling the Frame editing 
option within the DISPLAY submenu. The actual editing 
takes place in the Hexadecimal View. 


Additional information on Frame editing can be found on pages 7-46 and 7-47 
in the Expert Sniffer Network Analyzer Operations manual. 
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Traffic Generation Uses 


e Planning for growth 


Invoke a load to simulate the amount of traffic a LAN 
may encounter after a proposed expansion. 


e Equipment Analysis 


Determine a component’s ability to process packets. 


¢ Troubleshooting 
Re-create a software or protocol bug on the network. 


Warning: 


Traffic generation can crash servers, hosts, routers 


and workstations. Care should be exercised when 
generating traffic onto a live network. 
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Uniw 7M am, 
To <all stations> ~=d os 
Size = 1000 ~< 
Delay = 10.00 ~< - 
Frames=INFINITE ~@ = 
Data=00000000... ~@ x RI present es 
r Single frame mode _ 
Buffer mode pe 
x Continuous _ 
x Filtered eu 


Defaults are shown in the above diagram. ~ 


Additional information about traffic generation can be found on pages 10-3 
through 10-14 in the Expert Sniffer Network Analyzer Operations manual. Nate 
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Monitor Statistics 


Statistical displays can be used to: 


¢ Record regular baseline information 

e Observe global network performance 

e Investigate unusual station activity 

¢ Confirm or deny troubleshooting hypotheses 


e Gain insight into the reasons for poor 
network performance 
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Statistical Display Options 


¢ Numeric or Graphic representation 


Global statistics 
Single station 
All stations 
Frame sizes 
Protocols 
Alarm log 
Global history 
Station history 
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Monitor Alarms 


Threshold monitoring and alarms can be 
used to quickly identify: 


e High error rates in real time 


e Non-responsive or idle hosts, servers and 
workstations 


e Unusual broadcast activity 

e Unusually high utilization 

e Station and network idle time 
e Slow response times 


© 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Advanced Sniffer Features ~ 25 General 


243 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Audible and Visual Alarms 


Network Alarms 


Network idle time threshold alarm 

Broadcast source address alarm 

Intruder alarm (unknown station) 

Network utilization % threshold alarm 

Number of error frames threshold alarm 

Excessive number of frames sent to broadcast address 
Oversize frame 


Station Alarms (up to 1,024 individual stations) 


¢ Station bandwidth utilization threshold alarm 
¢ Number of error frames threshold alarm 

¢ Idle time threshold alarm 

¢ No acknowledgment threshold alarm 
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Monitor Reports 


Reports can be designed and printed: 


e At any time for troubleshooting or updates 

e At even intervals for management reports 

e From a single station viewpoint 

e From a global network viewpoint 

¢ From ahistorical perspective at selected intervals 
e With specific data points selected 


Additional information on network monitoring can be found in the Sniffer Network 
Analyzer Ethernet or Token Ring Monitor Operations manuals. 
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DCA Remote? 


¢ DCA Remote? is included with every 
Sniffer to allow remote access to the 
analyzer via RS-232 media, either with a 
direct connection or modem interface. 


¢ Access may be gained using DCA Remote? 
Software on most PC compatibles using 
popular modems. 


¢ DCA Remote? can be found of the 
Sniffer’s Main Selection Menu 


Additional information on remote Sniffer operation can be found in the Sniffer 
Network Analyzer DCA Remote? Supplement. 
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Section Summary 


¢ The Sniffer supports many advanced features. 


e All features are fully documented in the product 
documentation. 


O 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev, 4.4 Advanced Sniffer Features - 29 General 


247 


See ete Chie ele Pete eee ee Cee 8 ee eee Oe 8s eee s 


248 


Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


iffer University 3 
a or) 


Practical Sniffer 


Applications 


© 
Network 
General 


‘Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Practical Sniffer Applications ~ 1 


249 


U. ‘ ‘a om © Copyright 1990 - 1994 Network General Corporation. All rights reserved. = 


Section Objectives - 


* Review Troubleshooting Techniques 
¢ Discuss Using the Sniffer in the Real World es 
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Troubleshooting Techniques 


¢ Implement a program for change control 
e Perform a baseline analysis at regular intervals 


¢ When trouble occurs, use systematic techniques to 
isolate and correct problems 


¢ Develop a hypothesis, but don’t get “tunnel-vision”’ 
e Repair one thing at a time and test all fixes thoroughly 


¢ Document your discoveries and conclusions 
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Techniques For Managing Change im 


e Modern networks are changing constantly 


e Implement a standardized and structured method for om 
change control ~ 
— Develop a process for users to request changes -_ 
— Design and plan changes before implementing them -_ 
— Attach configuration information to components and update it regularly = 
— Maintain a master electronic change log a 
e Document all changes a. 
— Topology maps " 


— Network numbers, host names, etc. 
— Version numbers for hardware and software 


e What’s Your Strategy? 
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Establish A Baseline 


e Statistical characterization of your critical segments 
— Understand and predict growth patterns 
— Intelligently plan for hardware and software implementation 
— Basis for comparison when problems occur 


. Response time measurements of regular events 
— Quantify the user’s view of the network in real numbers 
— Track performance levels for frequently used tasks and protocols 
— Compare history with current events when response time degrades 


° La ages diagrams updated regularly 
Maintain visual control of your physical network 
— Use asa visual reference when considering changes 
— A basis for continuity when personnel come and go 
— Decrease wasted time if consulting services are necessary 
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Measurement 


Statistics 

Total Stations 

Max. Inserted Stations 
Average Usage 


Total Frames we 


Total Bytes 
Average Frame Size 


Ring Purges 3. 


Error Reports 
#1 Station % Usage 


#2 Station % Usage 4 


#3 Station % Usage 
Source Routed Frames 
Remote Rings 
Protocol #1 % 
Protocol #2 % 
Protocol #3 % 
Transmit Timer Avg 


Response ‘Times 

NetWare Create File Cmd/Resp 
NetWare File Read 512 Cmd/Resp 
NFS Create File Cmd/Resp 

TCP Session Establishment 

Telnet Cmd/Echo/Ack 
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Baselining Procedures 


Implement a regular schedule for baselining that 
includes high, medium and low periods of network 
utilization. 

Monitor for a standard period of time (10 minutes 
for example) and record statistical measurements. 


Start protocol analyzer and filter on a particular 
network station. 


Execute a predetermined set of procedures and 
commands that will provide the necessary 
command/response combinations. Document those 
response times. 


Record conclusions taken from expert systems. 
Update segment diagrams. 


Capture for a reasonable period of time and save 
the data file to a floppy disk for storage in the 
baselining folder. 


Note: Please see appendix for sample baselining forms. 
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& 
Elements Of A Well-Documented Network 


Everything necessary to review 
history, understand current status, 
plan for growth and provide 

comparison when problems occur. 


Universitym 
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Be Prepared for Problems 


¢ Know what's likely to fail on your network. 


¢ Identify your mission critical applications and data, and locate 
backups on your network for emergency use. 


¢ Know the Mean Time To Repair (MTTR) of critical components. 


e If possible, plan "work arounds" in advance. For example, be 
able to tell your users a server's address instead of its name, in 
case their Name Server goes down. 


e Learn your protocols. (The Sniffer Analyzer is a great learning 
tool!) Practice using your troubleshooting tools before a problem 
occurs. 


¢ Encourage your technicians to review the troubleshooting 
experiences of other technicians on a regular basis. 
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Repair and Test Thoroughly 


e Assess the scope of the problem 


Make a few phone calls from your desk to see how many users and what 
areas the problem effects. 


e Repair one thing at a time 


If you change multiple elements, you’Il never know which repair was the 
one that actually solved the problem. 


e Write down what has been tested and fixed so far 


If the testing isn’t documented, time may be wasted repeating work that was 
already done. 


¢ Test the repair thoroughly 


Don’t just test the component or application that identified the problem. 
Test everything that could be related, as well. If it doesn’t work, undo the 
repair and try something else. 


¢ Keep a Problem/Repair Log 


Log all problems. Include a description of the problem and the fix. 
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Repair or Replace the Part ae 

Once you've isolated a probable area of trouble: _ 
Change one part of the system with a new part of known 3 
good quality. If that doesn’t help, put the original part % 
back in the system and try a different component. Check © 
parts in this order: a 
1. Cables and connectors a 

2. Transceivers or hub ports o 

3. Interface card me 

4. Configuration files ne 

5. Driver software _ 

6. Network software _ 

7. Application software a 

~ Led 
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Typical Network Problems 


#1 No stations on a single segment can access the network 


#2 Stations on a single segment intermittently can’t access 
the network 


#3 A single station can’t access the network 


#4 No stations on a single segment can access another 
segment 


#5 A specific application does not function 


#6 Slow response time 
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Troubleshooting Techniques Summary 


e Prepare in advance 

¢ Use a systematic approach 

¢ Verify problem by comparing current events to baseline 
¢ Describe problem thoroughly 

¢ Hypothesize probable cause of problem 

¢ Test hypothesis, by problem duplication if necessary 

¢ Repair the problem and test the fix 

¢ Repeat the above, if necessary 


¢ Document the problem(s) and the fixes clearly 
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Troubleshooting With the Expert Analyzer 


e The longer you capture, the more the Expert Analyzer will learn. 


e The Expert Analyzer usually points to configuration problems. 
Your first step should be to examine configuration parameters 
and verify what the Expert Analyzer has noticed. 

Examples: 
— Is arouter being used to route local frames because of a subnet mask problem? 
— Are frames being re-transmitted because a timeout value is too short? 


— Is bandwidth being poorly used because the maximum frame size has been 
configured to be very small? 


e The Expert Analyzer’s symptoms are especially good for 
proactive network monitoring. 


¢ Let the Expert Analyzer advise you, but also use your own 
knowledge and experience. 
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Start the Analyzer 


| Start Capture in 
| Expert Mode 


J 
Watch and Wait 
for Diagnoses 


Need More Info? ~—+{ Conclusion ) 


Get the Big Picture 


Need More Info? -%— Conclusion 


Focus on Frames 


Need More Info? te—»* Conclusion 


ee See 
Capture and 


\________ + Display in Classic —+(Conctusion ) 
Mode 
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Using the Sniffer 
Analyzer: 
A General Approach 


We’ ve learned the details about 
using the Sniffer. 


Now let’s learn how to apply that 
information to real life scenarios. 
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Watch and Wait 


¢ Watch and wait for the Expert analyzer to provide 
diagnoses. 


e Simply start to capture and observe as the Expert 
analyzer performs a quick, automatic analysis of 
captured frames to provide diagnoses at each of 
the four Expert layers. 


e Once a diagnosis occurs, you can investigate it in 
windows that show various levels of detail. 


¢ Based on this information, you can determine how 
to correct the problem or whether to investigate 
further. 


O 
Network 
Troubleshooting with the Expert Sniffer Network Analyzer - 6/94 Rev. 4.4 Practical Sniffer Applications - 15 General 


263 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Get the Big Picture 


° Get the big picture by looking at symptoms. 


¢ To look at the the network as a whole or to further 
investigate a diagnosis, you can display any detected 
symptoms, as well as DLC stations and protocols 
associated with those symptoms. 


¢ Although symptoms do not necessarily indicate 
problems, you can investigate them by displaying 
various levels of detail. 
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Focus on Frames 


e Display the frames that caused the symptom or 
diagnoses. 


e You can also filter for and display the frames 
associated with detected symptoms and 
diagnoses. 


e This shows you precisely what occurred, in the 
context of the surrounding frames. 
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Capture in Classic Mode 


¢ Capture and display in Classic mode. 


¢ Choose Classic mode when you know network 
problems exist and you have your own analysis 
techniques. 


¢ Instead of waiting for the Expert analyzer to 
find problems, you can actively capture and 
interpret those frames that meet your criteria. 
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Section Summary 


¢ Troubleshooting techniques 


— Implement a program for change control 


Perform a baseline analysis at regular intervals 


— When trouble occurs, use systematic techniques to isolate and 
correct problems 


— Develop a hypothesis, but don’t get “tunnel-vision” 
— Repair one thing at a time and test all fixes thoroughly 


— Document your discoveries and conclusions 


e Using the Sniffer in the real world 
— Watch and wait 
— Get the big picture 
— Focus on frames 
— Capture in Classic Mode 
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Network Name: 


Network Baseline Record - Ethernet 


Network Number: 


High Date/Time: 


Medium Date/Time: 


Low Date/Time: 


Measurement 


Location 


Med Use Low Use Average 


Statistics 
Total Stations 
Average Usage 
Total Frames 


Monitor-Global Statistics 
Monitor-Global Statistics 


Monitor-Global Statistics 


Total Bytes 


Monitor-Global Statistics 


Average Frame Size 


Runt Frames Monitor-Global Statistics 


CRC/Align Errors 


Monitor-Global Statistics 


Monitor-Global Statistics 


Collisions (EN - II Card) 


Monitor-Global Statistics 


#1 Station % Usage 
#2 Station % Usage 
#3 Station % Usage 
Protocol #1 % 
Protocol #2 % 
Protocol #3 % 


Response Time 

NCP Create File C-R 
NCP File Read 512 C-R 
NFS Create File C-R 
TCP 3-Way Handshake 
Telnet C-Echo-Ack 


Diagnosis List (Expert) 


Monitor-All Stations 
Monitor-All Stations 
Monitor-Protocol Types 
Monitor-Protocol Types 
Monitor-Protocol Types 


Analyzer-Display 
Analyzer-Display 


Analyzer-Display 


Analyzer-Display 


Analyzer-Display iene ee 


Instructions for recording baseline measurements: 


Monitor times: 


High Use - 9 AM Friday Med. Use - 3 PM Monday 


Low Use - 12 Noon Wednesday 


Monitor for exactly ten minutes and record measurements above. Then start the Analyzer and set a Capture Filter 
on your own station. Copy a file from your work station to the server, then copy that file back to your work 
station (make sure the file doesn't previously exist on the server.) Then initiate a TCP session by beginning 
Telnet, and execute a few Telnet keystrokes. Stop your capture and record the required response times. Remove 
your station address filter and capture from the network until the buffer has approximately 1 Meg of data. Stop 
the capture, record any Diagnosis above. Save the trace file to disk. 
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Network Name: 


Network Baseline Record - Token Ring 


Network Number: 

High Date/Time: 
Measurement 
Statistics 


Total Stations 
Max. Inserted Stations 


Medium Date/Time: 


Low Date/Time: 


Location 


High Use _| Med Use Low Use 


Monitor-Global Statistics — —| 


Montior-Global Statistics 


Average Usage 
Total Frames 


Monitor-Global Statistics 


Monitor-Global Statistics 


#1 Station % Usage 
#2 Station % Usage 

#3 Station % Usage 
Source Routed Frames 
Remote Rings 
Protocol #1 % 
Protocol #2 % 
Protocol #3 % 
Transmit Timer Avg 


Total Bytes Monitor-Global Statistics 
Average Frame Size Monitor-Global Statistics 
Ring Purges Monitor-Global Statistics 
Soft Error Reports Monitor-Global Statistics 


Monitor-All Stations 
Monitor-All Stations 
Monitor-All Stations 
Monitor-Routing Paths 
Monitor-Routing Paths 
Monitor-Protocol Types 
Monitor-Protocol Types 
Monitor-Protocol Types 
Monitor-Transmit Timer 


Response Time 


NCP Create File C-R 


NCP File Read 512 C-R 
NFS Create File C-R 
TCP 3-Way Handshake 
Telnet C-Echo-Ack 


Diagnosis List (Expert) | 


Instructions for recording baseline measurements: 


Monitor times: 
High Use - 9 AM Friday 


Analyzer-Display 
Analyzer-Displa 


| Average 


Analyzer-Display 


Analyzer-Display 


Analyzer-Display 


Med. Use - 3 PM Monday 


Low Use - 12 Noon Wednesday 


Monitor for exactly ten minutes and record measurements above. Then start the Analyzer and set a Capture Filter 
on your own station. Copy a file from your work station to the server, then copy that file back to your work 
station (make sure the file doesn't previously exist on the server.) Then initiate a TCP session by beginning 
Telnet, and execute a few Telnet keystrokes. Stop your capture and record the required response times. Remove 
your station address filter and capture from the network until the buffer has approximately 1 Meg of data. Stop 
the capture, record any Diagnosis above. Save the trace file to disk. 
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1IBASES5 


10BASE2 


10BASE5 


10BASE-T 


3Com 3+ 


3Plus 


802.2 


802.3 


802.4 


802.5 


Glossary 


The implementation of the IEEE 802.3 (StarLAN) standard using 
1 megabit per second transmission on a baseband medium whose 
maximum segment length is 500 meters. 


The implementation of the IEEE 802.3 (Ethernet) standard using 
10 megabit per second transmission on a baseband medium whose 
maximum segment length is 185 meters. 


The implementation of the IEEE 802.3 (Ethernet) standard using 
10 megabit per second transmission on a baseband medium whose 
maximum segment length is 500 meters. 


The implementation of the IEEE 802.3 (Ethernet) standard using 
10 megabit per second transmission on a baseband medium. The 
standard provides a means for attaching AUI-compatible devices 
to 24 gauge, unshielded twisted pair cable, instead of the usual 
coaxial media. 


A networking system from 3Com Corporation using parts of the 
XNS and Microsoft/IBM PC LAN program protocols. 


3Com’s implementation of XNS. Interpreted by the XNS PI suite. 


The IEEE standards designation for the LLC sublayer protocol 
that provides both datagram and reliable connection transmission. 


The IEEE standards designation for the CSMA/CD network 
access method. Similar to (and often used interchangeably with) 
Ethernet. 


The IEEE standards designation for token bus networks. Used 
primarily with MAP protocols. 


The IEEE standards designation for the token ring network 
access method. 


AppleTalk Address Resolution Protocol. For outgoing packets, 
supplies the hardware destination address corresponding to a 
higher-level protocol address, and filters incoming packets to pass 
only those that are broadcast or specifically addressed to it. 
Interpreted in the AppleTalk PI suite. 
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Glossary 


AC Access control. A DLC byte on IEEE 802.5 token ring networks 
that contains the token indicator and frame priority information. 


ACSE Association Control Service Element. An ISO application-level 
protocol interpreted in the ISO PI suite. 


ACTPU Activate Physical Unit. An SNA message sent to start a session. 

ACK Acknowledge. A network packet acknowledging the receipt of 
data. 

active monitor A computer on a token ring that acts as the controller for the 


ring, regulating the token and other performance aspects. 
ACT Absolute Congestion Threshold. Frame Relay term. 


ADSP AppleTalk Data Stream Protocol. A connection-oriented protocol 
providing a reliable, full-duplex, byte-stream service between any | 
two sockets on an AppleTalk internet. Interpreted in the 
AppleTalk PI suite. 
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advertising The process by which a service makes its presence known on the 
network. Typically provided through some sort of LAN-based 
multicast. 
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AEP AppleTalk Echo Protocol. See Echo. 


AFP AppleTalk Filing Protocol. A presentation-level protocol for 
access to remote files. Interpreted in the AppleTalk PI suite. 


ee 


ALAP AppleTalk Link Access Protocol. See LAP. 


alarm Network statistics sent from a DSS Server to a connected 
Console over a LAN or WAN. Triggered by the monitor or 
analyzer application on the Server when network statistics exceed 
certain thresholds. Consists of the name of an offender, a 
timestamp, and an alarm priority threshold. 


aD me a a ob 


alert Notification of an alarm condition. Sent from a DSS Server to 
non-connected unit such as a pager or a Console. Consists of a 


J) 


numeric identifier and a numeric value of the alarm threshold. 
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APPC 


architecture 


ARCNET 


ARP 


ASCII 


ASN.1 


ASP 


asynchronous 


ATP 


Glossary 


Application Program Interface. The specification of functions and 
data used by one program module to access another; the 
programming interface that corresponds to the boundary between 
protocol layers. 


Advanced Program-to-Program Communications. A 
communications system used to communicate between 
transaction programs on IBM computers; APPC uses the LU 6.2 
subset of SNA. 


The architecture of a system refers to how the system is designed 
and how the components of the system are connected to, and 
operate with each other. 


A baseband token-passing network originally designed by the 
Datapoint Corporation that communicates among up to 255 
stations at 2.5 Mbps. 


Address Resolution Protocol. 

(1) A protocol within TCP/IP for finding a node’s DLC addresses 
from its IP address. Interpreted in the TCP/IP PI suite. 

(2) Interpreted in the Banyan VINES PI suite. 


American Standard Code for Information Interchange. A mapping 
between numeric codes and graphical characters used almost 
universally for all personal computer and non-IBM mainframe 
applications. 


Abstract Syntax Notation One. A set of conventions governing 
the ISO presentation layer. Interpreted in the ISO PI suite. 


AppleTalk Session Protocol. A general protocol, built upon ATP, 
providing session establishment, maintenance, and tear-down, 
along with request sequencing. Interpreted in the AppleTalk PI 
Suite. 


A method of data transmission which allows characters to be sent 
at irregular intervals by preceding each character with a start bit 
and following it with a stop bit. Commonly used to communicate 
with modems and printers. 


AppleTalk Transaction Protocol. Provides a loss-free transaction 
service between sockets, allowing exchanges between two socket 
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Glossary 


clients in which one client requests the other to perform a 
particular task and report the result. Interpreted in the AppleTalk 


2 ® 2. 


PI suite. ae 

AUI Attachment Unit Interface. Drop cable for Ethernet between x 

station and transceiver. ” 

a. 

backbone The backbone is the part of the communications network which ™ 

carries the heaviest traffic. It is one basis for design of the overall oe» 

network service. ~ 

—_ 

background services A protocol transmitted by a Matchmaker frame in Banyan as 
VINES. 

background task A secondary job performed while the user is performing a primary ” 

-_ 


task. For example, many network servers will carry out the duties ' 
of the network (controlling communications) in the background 
while at the same time the users are running their own 
applications (such as word processors). 


bandwidth The amount of data that can be moved through a particular 
communications link. For example, Ethernet has a bandwidth of 
10Mbits/s. 

baseband A transmission technique that sends data bits without using a 


much higher carrier frequency (contrast with broadband). The 
entire bandwidth of the transmission medium is used by one 
signal. 


baud rate A measure of signaling speed in data communications. Specifies 
the number of signal elements that can be transmitted each 
second. For most purposes, at slow speeds, a baud rate is the 
same as the speed in bits per second. 


BCC Block Check Character. Another word for Frame Check 
Sequence. 

beacon A token ring packet that signals a serious failure on the ring. 

BECN Backward Explicit Congestion Notification. The sixth bit in the 


second octet of the frame relay header. Used to inform a 
subscriber device of congestion in the backward direction. 
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BER 


BERT 


BIND 


bipolar 


BIS 


BNC 


BOOTP 


breakout box 


bridge 


broadband 


broadcast 


buffer 


Glossary 


Bit error rate. The percentage of received bits in error compared 
to the total amount of bits received. Usually expressed 
exponentially. 


Bit error rate test. Test used to ascertain the bit error rate on a 
given wide-area link. 


An SNA message sent to activate a session between LUs. 


The predominant signaling method used for digital transmission 
services, such as DDS and T1. 


Bracket Initiation Stopped. An SNA message sent to indicate that 
the sending station will not attempt to initiate any more brackets. 


A standardized coaxial cable connector; used for Thin Ethernet 
(“Cheapernet”) cables and ARCNET networks. 


Boot Protocol. A protocol within TCP/IP that is used for 
downloading initial programs into networked stations. Interpreted 
in the TCP/IP PI suite. 


A test device used to view the signals in an RS-232, V.35, or 
other interface. The breakout box is used to diagnose problems 
with the interface. 


A device used to connect two separate networks into one 
extended network. Bridges only forward packets between 
networks that are destined for the other network. 


A transmission technique that sends data bits encoded within a 
much higher radio-frequency carrier signal. The transmission 
medium may be shared by many simultaneous signals since each 
one only uses part of the available bandwidth. 


(1) A message directed to all stations on a network or collection 
of networks. 
(2) A destination address that designates all stations. 


A software program, storage space in RAM, or a separate device 
used to store data. For example, the Sniffer Network Analyzer’s 
capture buffer serves as a temporary storage space for captured 
network data until it can be saved to disk. 
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Glossary 


bursty traffic Data communications term referring to an uneven pattern of data 
transmission. 


capture The process in which the Sniffer analyzer records network traffic 
for interpretation. Generally speaking, this interpretation takes 
place during display. However, the Expert Sniffer analyzer 
simultaneously captures and interprets network traffic. 


CCITT International Consultative Committee for Telephony and 
Telegraphy. CCITT is a member of the International 
Telecommunications Union (ITU) that is, in turn, a specialized 
body within the United Nations. It sponsors a number of 
standards dealing with data communications networks, telephone 
switching standards, digital systems, and terminals. 
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CGA Color Graphics Adapter. The interface between a personal 
computer and a medium-resolution color monitor. 


chat script A group of three chat strings (Setup, Listen, and Disconnect) that 
control communication parameters for an asynchronous device. 


chat string A UNIX-style command/response sequence of characters which 
are downloaded to a serial device in order to control the device. 


CIR Committed Information Rate. The largest number of bits per 
second that a frame relay network agrees to carry for a PVC. CIR 
is assigned at the time of subscription to the frame relay service. 
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client 1. A module that uses the services of another module. The session 
layer is a client of the transport layer, for example. 
2. A PC or workstation that accesses services or applications 
from another “server” PC or workstation. 


CLLM Consolidated Link Layer Management. An access signaling 
protocol specified by ANSI for frame relay links. 


BP Py 


CLNS Connectionless Network Service Protocol (also called ISO IP). 
Interpreted in the ISO PI suite. 


, 3 


CMIP Common Management Information and Services Protocol. When 
used with TCP/IP, it is also known as CMOT. 
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CMOT 


compression 


concentrator 


Courier 


CRC 


CSMA/CA 


CSMA/CD 


CTERM 


DAC 


DAP 


DAS 


Glossary 


Common Management Information and Services Protocol Over 
TCP. A management protocol for networks; it uses ASN.1 
encoding. Interpreted in the TCP/IP and ISO Pls. 


Reducing the bandwidth or bits necessary to encode information. 


A central point for connecting many individual stations to a 
network ring. Found most often on FDDI networks. 


A presentation-level protocol in XNS (similar to RPC in the Sun 
protocol family); it delivers data to such application-level 
protocols as XNS Printing, XNS Filing, or XNS Clearinghouse. 


Cyclic Redundancy Check. A check-word, typically two or four 
bytes at the end of a frame, used to detect errors in the data 
portion of the frame. 


Carrier Sense Multiple Access with Collision Avoidance. A 
random access or contention-based control technique; the 
algorithm used in LocalTalk networks to control transmission. 


Carrier Sense Multiple Access with Collision Detection. A 
random access or contention-based control technique; the 
algorithm used by IEEE 802.3 and Ethernet networks to control 
transmission. 


Command Terminal. A protocol within DECnet for 
communicating with generic intelligent terminals, that is, a virtual 
terminal protocol. Interpreted in the DECnet PI suite. 


Dual Attachment Concentrator. A concentrator that offers two 
connections to the FDDI network capable of accommodating the 
FDDI dual ring, and additional ports for connection of other 
concentrators or FDDI stations. 


Data Access Protocol. The DECnet protocol that provides 
remote file access. Interpreted in the DECnet PI suite. 


Dual Attachment Station. An FDDI station that offers two 
connections to the FDDI dual counter-rotating ring. 
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DB-9 


DB-15 


DB-25 


DCE 


DDP 


DE Bit 


destination address 


DFC 


diagnosis 


DIP switch 


Jj 


Glossary on 

A 9-pin standardized connector used in personal computers fOr a am 
token ring network connection (female), serial I/O port (male), 
and RGBI output. Also used for LocalTalk. ee 
A 15-pin standardized connector used at the transceiver, the drop S 
cable, and the station of IEEE 802.3 or Ethernet network ” 
components. -“ 
a, 


A 25-pin standardized connector used in personal computers for p= 
parallel output ports (female connector on IBM PC chassis) or fOr om 
serial I/O ports (male connector on IBM PC chassis). 


teed 

Ll 
Data Circuit-terminating Equipment (also called Data ee 
Communications Equipment). On a serial communications link, 

. . . . . a 
the device that connects the DTEs into the communication line or 
channel. “ 

— 
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Datagram Delivery Protocol. Extends the services of the 
underlying LAP protocol to include an internet of interconnected = 
AppleTalk networks, with provision to address packets to SOCKES jum, 
within a node. Interpreted in the AppleTalk PI suite. 


Discard Eligibility Bit. The seventh bit of the second octet of the 
frame relay header. A value of 1 in the DE bit indicates that the 
frame is eligible for discard by a congested network. 


> Fe. 


That part of a message which indicates for whom the message is 
intended. Usually a collection of characters or bits. Just like 
putting a destination address on an envelope. 


Data Flow Control. An SNA subprocess for reliable message 
transfer. 


A problem on the network detected by the Expert Sniffer 
analyzer. The Expert Sniffer analyzer detects and alerts users to 
diagnoses as it discovers them on the network to which it is 
attached. 


Dual In-Line Package. A small switch usually attached to a 
printed circuit board. Usually requires a small screwdriver to 
change. There are only two settings— on or off. Printed circuit 
boards usually have “banks” of multiple DIP switches used to 
configure the board in a semi-permanent way. 
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DIS 


DISC 


display 


DIX 


DLC 


DLCI 


DLL 


DM 


DNS 


DOS 


DRP 


Glossary 


Draft International Standard. One of the stages in defining ISO 
protocols. Final stage is IS. 


Disconnect. An LLC non-data frame indicating that the 
connection established by an earlier SABM or SABME is to be 
broken. 


The process in which the Sniffer analyzer interprets the traffic 
recorded during capture. During display, the analyzer decodes the 
various layers of protocol in the recorded frames and displays 
them as English abbreviations or summaries. 


DEC/Intel/Xerox. Used to refer to an early version of Ethernet. 


Data Link Control. The lowest protocol level within the 
transmitted network frame; fields typically include the Destination 
address, and Source address, and perhaps other control 
information. 


Data Link Connection Identifier. 10-bit number used by the 
Frame Relay protocol to identify a virtual circuit. 


1. Downline load. A protocol within the Datapoint RMS family 
used for downloading initial programs into networked stations. 
2. Dynamic Link Library. A type of program library used in MS- 
Windows. 


Disconnected Mode. An LLC message acknowledging that a 
previously established connection has been broken. 


Domain Name Service. A protocol within TCP/IP for finding out 
information about resources using a database distributed among 
different name servers. Interpreted in the TCP/IP PI suite. 


Disk Operating System. The most common operating system for 
IBM-compatible personal computers. 


DECnet Routing Protocol. The lowest-level DECnet protocol, 
concerned with moving packets from endnodes through routers 
to other endnodes. (“Routing” in DNA terminology corresponds 
to the ISO model’s “Network” layer). 
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DSAP 


DTE 


duplex 


El 


EBCDIC 


Echo 


EGP 


EIA 


ELAP 


EPROM 


J 


Glossary 


) 


Destination Service Access Point. The LLC SAP for the protocol 
expected to be used by the destination station in decoding the 
frame data. 


Data Terminal Equipment. On a serial communications link, a 
generic term used to describe the host or end-user machine. 


Characteristic of data transmission. Either full or half duplex. Full 
permits simultaneous two-way communication. Half means only 
one side can talk at a time. 

A digital transmission link with a capacity of 2.048 Mbps (CCITT . 
version of T1). 


Extended Binary-Coded-Decimal Interchange Code. A mapping 
between numeric codes and graphical characters used for IBM 
mainframe computers and communications protocols defined by 
IBM. 


(1) A request/response protocol within XNS used to verify the 
existence of a host. 

(2) A protocol within AppleTalk that allows any node to send a 
datagram to any other node and to receive an echoed copy of that 
packet in return to verify the existence of that node or to make 
round trip delay measurements. Interpreted in the AppleTalk PI 
suite. 

(3) A protocol transmitted by a Matchmaker frame in Banyan 
VINES. 


Exterior Gateway Protocol. A protocol within TCP/IP used to 
exchange routing information among gateways belonging to the 
same or different systems. A generalization of GGP. 
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Electronic Industries Association. A standard organization 


specializing in the electrical and functional characteristics of ” 
interface equipment. ~ 

cml 
See LAP. ~- 


Erasable Programmable Read Only Memory. A read-only 
memory device which can be erased and reprogrammed. 
EPROMsSs do not lose their memory when power is shut off. 
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Error 


error rate 


ES-IS Routing 


Ethernet 


Ethertype 


FC 


FCS 


FDDI 


FECN 


FEP 


FID 


filter 


Glossary 


A protocol within XNS by which a station reports that it has 
received (and is discarding) a defective packet. Interpreted in the 
XNS PI suite. 


In data transmission, the ratio of the number of incorrect elements 
transmitted to the total number of elements transmitted. 


End-System to Intermediate-System Routing. A protocol within 
the ISO family used to exchange routing information between 
gateways and hosts. Interpreted in the ISO PI suite. 


A CSMA/CD network standard originally developed by Xerox; 
similar to (and often used interchangeably with) the IEEE 802.3 
standard. 


A 2-byte protocol-type code in Ethernet frames used by several 
manufacturers but independent of the IEEE 802.3 standard. 


Frame control. On a token ring network, the DLC byte that 
contains the frame’s type. 


Frame check sequence. A redundant check field used to increase 
the probability of error-free transmission on the network. 


Fiber Distributed Data Interface. ANSI/ISO standards that 
defines a 100Mb/s LAN over a fiber-optic media using a timed 
token over a dual ring of trees. 


Forward Explicit Congestion Notification. The fifth bit in the 
second octet of the frame relay header. Used to inform a 
subscriber device of congestion in the forward direction. 


Front-End Processor. The “traffic cop” of the data 
communications world. Typically sits in front of a computer and 
is designed to handle the telecommunications burden so the 
computer can concentrate on handling the processing burden. 


Format Identification. A field in the SNA Transmission header 
indicating the type of nodes participating in the conversation. LU 
6.2 nodes are type 2. 


The Sniffer analyzer uses several varieties of filters, including the 
following. (1) Capture filters. These filters determine which 
285 


Glossary 


arriving frames the analyzer discards and which it retains. (2) 
Display filters. These filters determine which frames in the capture 
buffer will be displayed. Eliminating a frame from display with a 
display filter does not remove the frame from memory. Rather, it 
simply removes the frame from display. 
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flow control Hardware or software mechanisms used in data communications 
to turn off transmission when the receiving workstation is unable 
to store the data it is receiving. Various methods of regulating the 
flow of data during a conversation. Buffers are an example of 
flow control. 


FMD Function Management Data. A class of data embedded at the start 
of SNA RUs. 


FMH Function Management Header. The header part of SNA FMD 
containing addressing and transmission control information. 


P2333 33:3 3 


FOUND Foundation Services. A protocol within DECnet used for 
primitive terminal-handling services. Interpreted in the DECnet PI ,.. 
suite. 


) 


j 


frame The multi-byte unit of data transmitted at one time by a station on 
the network; synonymous with Packet. 


frame check sequence (FCS) In bit-oriented protocols, a 16-bit field added to the end of a 
frame that contains transmission error-checking information. 


Frame Relay A streamlined access protocol commonly used for LAN 
interconnectivity. 


FRMR Frame Reject. An LLC command or response indicating that a 
previous frame had a bad format and is being rejected. The 
FRMR frame contains five bytes of data explaining why and how 
the previous frame was bad. 
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Front-End Processor See “FEP.” 


FRP Fragmentation Protocol. Breaks up and reassembles network- 
layer packets so that they are acceptable to the data-link protocol 
and the underlying physical medium; used on networks whose 
physical medium is ARCNET. Interpreted in the Banyan VINES 
PI suites. 
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FS 


FTAM 


FTP 


functional address 


gateway 


GGP 


GUI 


handshaking 


HDLC 


Glossary 


Frame status. A byte appended to a token ring network frame 
following the CRC. It contains the Address Recognized and 
Frame Copied bits. 


File Transfer, Access and Management. An application-level 
protocol within the ISO suite, on top of ACSE. 


File Transfer Protocol. 

(1) A protocol based on TCP/IP for reliable file transfer. 
Interpreted in the TCP/IP PI suite. 

(2) A protocol transmitted by a Matchmaker frame in Banyan 
VINES. 


A limited broadcast destination address for IEEE 802.5 token 
ring networks. Individual bits in the address specify attributes that 
stations eligible to receive the frame should have. Similar to 
“multicast address.” 


In the general sense, a gateway is a computer that connects two 
different networks together. Usually, this means two different 
kinds of networks, such as SNA and DECnet. In TCP/IP 
terminology, however, a gateway connects two separately 
administered subnetworks, which may or may not be running the 
same networking protocols. 


Gateway-to-gateway protocol. A protocol within TCP/IP used to 
exchange routing information between IP gateways and hosts. 
Interpreted in the TCP/IP PI suite. See also EGP. 


Graphical User Interface, pronounced “gooey”. An operating 
system or environment that displays options on the screen as 
icons, or picture symbols. 


The electrical exchange of predetermined signals when a 
connection is made between two devices carrying data. Just as 
people shake hands when they meet, computers must go through 
a procedure of “greeting” the opposite party and preparing for 
communications. 


High-level Data Link Control. A standard bit-oriented protocol 

developed by the International Standards Organization (ISO). In 

HDLC, control information is always placed in the same position. 
287 


header 


hop 


hub 


ICMP 


ICP 


IDP 


IEEE 


IGRP 


U 


Glossary 


Specific bit patterns used for control differ dramatically from 
those used to represent data, minimizing errors. Many 
internetworking companies (such as Cisco and Vitalink) have 
developed proprietary versions of HDLC, which the Sniffer 
Internetwork Analyzer can decode. 


The beginning portion of a message which contains destination 
address, source address, message-numbering, and other 
information. The header helps direct the message along its 
journey. Different protocols implement headers in different ways. 


A term used in routing. A hop is one data link. A path to the final 
destination on a net is a series of hops away from the origin. Each 
hop has a cost associated with it, allowing the calculation of a 
least cost path. 


im @) i 2) > B) i a > E> Bo > ap Bo 


A concentrator and repeater for the network. Generally speaking, 
a hub is a central point for wiring or computing in a network. For = 
StarLAN, it is more properly known as a Network Hub Unit or as oe 
a Network Extension Unit. 


- 
Information. An LLC, HDLC, or SDLC frame type used to send po 
sequenced data that must be acknowledged. ae 
Internet Control Message Protocol. A protocol within TCP/IP -"™ 
used principally to report errors in datagram transmission. - 
Interpreted in the TCP/IP PI suite. ~” 

- 
Internet Control Protocol. Used to broadcast notification of _ 
errors and to note changes in network topology in Banyan se 
VINES. Interpreted in XNS PI suite. vas 
Internet Datagram Protocol. Delivers to an internet address a €: 
single frame as an independent entity, without regard to other ” 


packets or to the addressee’s response. 
Institute of Electrical and Electronics Engineers, Inc. Standards 


documents are available from them at 345 East 47th Street, New 
York, NY 10017. 


Interior Gateway Routing Protocol. Cisco routing protocol 
designed for campus-wide use, as opposed to wide-area use. 


288 


> > @) > Bo a> & 


IONET 


IP 


IPC 


IPX 


IS 


ISDN 


ISO 


ISODE 


ISO IP 


KSP 


Glossary 


Input/Output Network. A device message protocol used by 
Datapoint. 


Internet Protocol. The lowest-level protocol under TCP/IP that is 
responsible for end-to-end forwarding and long packet 
fragmentation control. Interpreted in the TCP/IP PI suite. A 
similar protocol is interpreted in the Banyan VINES PI. See also 
the IPX and ISO IP protocols. 


Interprocess Communication Protocol. A transport-level protocol 
in Banyan VINES, providing reliable message service and 
unreliable datagram service. Interpreted in the Banyan VINES PI 
suite. 


Internet Protocol. Novell’s implementation of Xerox Internet 
Datagram Protocol. Interpreted in the Novell NetWare PI suite. 


1. International Standard. The final phase for an ISO protocol 
definition. At this point, the protocol is fully specified and 
guaranteed not to change. 

2. Intermediate System. An OSI term for a system that originates 
and terminates traffic, and that also forwards traffic to other 
systems. 


Integrated Services Digital Network. A digital telephone 
technology that combines voice and data services on a single 
circuit. Source of many ideas for frame relay networking. 


International Organization for Standardization (or International 
Standards Organization). 

(1) A consortium that is establishing a suite of networking 
protocols; 

(2) The protocols standardized by that group. 


ISO Development Environment. Protocol for transmitting higher- 
level ISO protocols over a network whose lower levels are 
handled by TCP/IP. Interpreted in the TCP/IP and ISO PI suites. 


The ISO standard Internet Protocol. Interpreted in the ISO PI 
suite. 


Kiewit Stream Protocol. A transport protocol resembling TCP 
developed at Dartmouth College for the support of terminal 
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LAVC 


LLAP 


leased line 


link protocol 


LLC 


LMI 


J 


Glossary 


emulators connected to AppleTalk networks; interpreted in the 
AppleTalk PI suite. 


Local Area Network. The hardware and software used to connect 
computers together in a limited geographical area. 


Link Access Protocol. The logical level protocol for AppleTalk. 
It exists in two variants: ELAP (for Ethernet) and LLAP (for 
LocalTalk networks). Interpreted in the AppleTalk PI. 


Link Access Protocol, Balanced. A subset of HDLC. 


Local Area System Transport. Protocol for remote booting in 
DECnet/DOS. 


Local Area Vax Cluster. An adaptation of the System 
Communication Architecture (SCA) to run over the Ethernet 
instead of a CI bus. Used to enable MicroVAXs to operate as 
diskless nodes. 


See LAP. 


Local Area Transport. The DECnet protocol that handles 
multiplexed terminal (keyboard and screen) traffic to and from 
timesharing hosts. Interpreted in the DECnet PI suite. 


Same as a leased circuit, dedicated circuit, or leased channel. A 
telephone line rented for exclusive continuous use. Commonly 
used to connect LANs remote from one another. 


The set of rules by which a logical data link is set up and by which 
data transfers across the link. Includes formatting of the data. 


Logical Link Control. A protocol that provides connection 
control and multiplexing to subsequent embedded protocols; 
standardized as IEEE 802.2 and ISO/DIS 8802/2. 
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Local Management Interface. An access signaling protocol 
defined for Frame Relay circuits. LMI carries information on the 
status of PVCs between the network and a subscriber device. 
Optional additions to LMI include multicasting, global 
addressing, and flow control. 
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LOOP 


LSA 


LU 6.2 


LUSTAT 


MAC 


Mail Service 


Manchester encoding 


MAP 


Matchmaker 


MAU 


MIB 


MIC 


Glossary 


Loopback protocol. A protocol under Ethernet for sending 
diagnostic probe messages. 


Lost Subarea. An SNA error condition. 


Logical Unit 6.2. A subset of the SNA protocols used for peer- 
to-peer communications between computers. 


Logical Unit Status. An SNA message used to send status 
information. 


Medium Access Control. The protocol level that describes 
network management frames sent on the 802.5 token ring. Most 
MAC frames are handled transparently by the network adapter. 


Protocol used (in conjunction with StreetTalk) for the 
transmission of messages in the VINES distributed electronic mail 
system. Interpreted in the Banyan VINES PI suite. 


A data encoding technique that uses a transition at the middle of 
each bit period that serves as a clock and also as data. 


Manufacturing Automation Protocol. A multilayer networking 
protocol developed primarily by General Motors for 
manufacturing control applications. 


Protocol used by the VINES service that provides high-level 
program-to-program communication, including translation as 
necessary to match the conventions of sender’s and receiver’s 
formats. Matchmaker is descended from XNS Courier. 
Interpreted in the Banyan VINES PI suite. 


Multiple Access Unit (also Medium Attachment Unit). The wiring 
concentrator or transceiver used for attaching stations connected 
to the network. 


Management Information Data Base. The structured database of 
network statistical information used by the SNMP and CMIP 


protocols. 


Media Interface Connector. An optical fiber connector pair that 
links the fiber media to the FDDI node or another cable. 
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Glossary 


modem A contraction of modulate and demodulate; a conversion device 
installed in pairs at each end of an analog communications line. 
The modulator part of the modem codes digital information onto 
an analog signal by varying the frequency of the carrier signal. 
The demodulator part extracts digital information from a 
modulated carrier signal. 


MOP Maintenance Operations Protocol. A protocol under DECnet for 
remote testing and problem diagnosis. Interpreted in the DECnet 
PI suite. 

MOUNT A protocol developed by Sun Microsystems that provides request 


access checking and user validation. It is used in conjunction with 
NFS. Interpreted in the Sun PI suite. 


multicast (1) A message directed to a group of stations on a network or 
collection of networks (contrast with broadcast). 
(2) A destination address that designates such a subset. 


multiplexing Sending several signals over a single line and separating them at 
the other end. 


N(R) Receive sequence number. An LLC or HDLC field for I frames 
that indicates the sequence number of the next frame expected; all 
frames before N(R) are thus implicitly acknowledged. 


N(S) Send sequence number. An LLC or HDLC field for I frames that 
indicates the sequence number of the current frame within the 
connection. 

NBP (1) Name-Binding Protocol. Used in AppleTalk networks to 


permit network users to use character names for network services 
and sockets. NBP translates a character-string name within a zone 
into the corresponding socket address. Interpreted in the 
AppleTalk PI suite. 

(2) NetBIOS Protocol. Used in 3Com 3+ Open software. 
Interpreted in the XNS PI suite. 


NC Network Control. An SNA subprocess. 


NCP NetWare Core Protocol. Novell’s application-level protocol for 
the exchange of commands and data between file servers and 
workstations. Interpreted in the Novell NetWare PI suite. 
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ND 


NetBIOS 


NETBLT 


NetWare 


Network Management 


network object 


network topology 


NEU 


NFS 


Glossary 


Network Disk. A protocol within the Sun NFS family used to 
access virtual disks located remotely across the network. 
Interpreted in the TCP/IP PI suite. 


Network Basic I/O System. 

(1) A protocol implemented by the PC LAN Program to support 
symbolically named stations and the exchange of arbitrary data. 
(2) The programming interface (API) used to send and receive 
NetBIOS messages. 

There exist several different and incompatible implementations of 
NetBIOS, and separate PIs for them, as, for example, in the IBM 
and the TCP/IP PI suites. 


Network Block Transfer. A protocol within earlier versions of 
TCP/IP. Not interpreted in the TCP/IP PI suite. 


The networking system designed by Novell Inc. and the protocols 
used therein. 


1. A general term describing the protocols and applications used 
to manage networks. 

2. A protocol transmitted by a Matchmaker frame in Banyan 
VINES. 


The Expert Sniffer analyzer creates network objects by 
performing multilevel protocol analysis on the frames that pass 
through its real-time protocol interpreters. In this way, the Expert 
analyzer can distill a relatively small number of network objects 
from the huge body of information it processes. Network objects 
can be any of the following: a DLC station, a network station, a 
connection, an application, or a subnetwork. 


The geography of a network. Examples of network geographies 
include ring, bus, and star. 


Network Extension Unit. A concentrator and repeater for 
StarLAN networks. 


Network File System. A protocol developed by Sun 
Microsystems for requests and responses to a networked file 


server. Interpreted in the Sun PI suite. 
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NGCP 


NHU 


NICE 


NIF 


NIS 


nodes 


NRZ 


NRZI 


NSP 


null modem 


octet 


OpenNET 


} 


Glossary 


Network General Control Protocol. Network General 
Corporation protocol used for communications between 
Distributed Sniffer System consoles and servers. 


Network Hub Unit. A concentrator and repeater for StarLAN 
networks. 


Network Information and Control Exchange. The DECnet 
protocol for network management. Interpreted in the DECnet PI 
suite. 


Neighbor Information Frame. Used by stations on an FDDI ring 
to announce their addresses to downstream neighbors. 


Network Information Services. Previously known as “Yellow 
Pages.” A set of services in the Network File System that 
propagate information from masters to recipients. Used for the 
maintenance of system files on complex networks. 


Points in a network where service is provided, service is used, or 
communications channels are interconnected. “Node” is 
sometimes used interchangeably with “workstation.” 


Non-return to Zero. 


Non-return to Zero Inverted. A binary encoding scheme that _ 
inverts the signal on a “one” and leaves the signal unchanged for a 
“zero.” The Sniffer Internetwork Analyzer can interpret both 
NRZ and NRZI, but you must set the correct option in the 
Options menu. 


Network Services Protocol. The DECnet protocol that provides 
reliable message transmission over virtual circuits. Interpreted in 
the DECnet PI suite. 
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A cross-pinned cable used for DTE to DTE communications. 


Sometimes called a modem eliminator. 
A string of eight bits. Synonymous with Byte. 


A networking system from the Intel Corporation that uses parts 
of the OSI standards and components of the Microsoft/IBM PC 
LAN program. Interpreted in the ISO PI suite. 
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OSI 


overhead 


packet 


packet switching 


PAD 


PAP 


parallel interface 


parity 


parity bit 


Glossary 


Open Systems Interconnection. A generalized model of a layered 
architecture for the interconnection of systems. 


In data communications, all information found on the network at 
a given time. Includes control, routing, and error-checking 
characters, in addition to user-transmitted data. 


The multi-byte unit of data transmitted at one time by a station on 
the network. Synonymous with Frame. 


A method for sending data in packets through a network to some 
remote location. The data to be sent is subdivided into individual 
packets of data, each having a unique identification and carrying 
its destination address. This way, each packet can go by a 
different route, possibly arriving in a different order than it was 
shipped. The packet ID allows the data to be reassembled in 
proper sequence. 


Packet Assembler Disassembler. Special purpose computer on an 
X.25 network that allows asynchronous terminals to use the 
synchronous X.25 network by packaging asynchronous traffic 
into a packet. 


Printer Access Protocol. A protocol within AppleTalk that uses 
ATP XO commands to create a stream-like service for 
communication between user stations and the Apple LaserWriter 
or similar stream-based devices. Interpreted in the AppleTalk PI 
suite. 


An interface which permits parallel transmission, or simultaneous 
transmission of the bits making up a character or byte, either over 
separate channels or on different carrier frequencies of the same 
channel. 


A process for detecting whether bits of data have been altered 
during transmission of that data. 


A binary bit appended to an array of bits to make the sum of the 


bits always odd or always even. Used with a parity check for 
detecting errors in transmitted binary data. 
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patch panel 


Fc*l 


PCF 


PDU 


PEP 


PI 


PING 


PMAP 


port 


preamble 


protocol 


protocol interpreter 


Glossary 
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A device in which temporary connections can be made between 
incoming and outgoing lines. Used for modifying or reconfiguring __ 
a communications system or for connecting test instruments (such 
as the Sniffer Network Analyzer) to specific lines. 


Personal Computer Integration. Data General’s nomenclature for 
their networking system. Protocols used include the ISO IP and 
TP4 levels and the Microsoft/IBM PC LAN program SMB 
protocols. Interpreted in the ISO PI suite. 
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Physical Control Fields. The part of the token ring DLC header 
that includes the AC and FC fields. 


Protocol Data Unit. The data delivered as a single unit between 
peer processes on different computers. 


Packet Exchange Protocol. A protocol within the XNS family 
used to exchange datagrams. Interpreted in the XNS/MS-Net PI 
suite. 


Protocol Interpreter. A program that knows the frame format and 
transaction rules of a communications protocol and can decode 
and display frame data. 


A TCP/IP tool supplied with TCP/IP Distributed Sniffer System. 
PING is a diagnostic utility that sends ICMP Echo Request 
messages to a specific IP address on the network. 
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Port Mapper. A protocol developed by Sun Microsystems for 
mapping RPC program numbers to TCP/IP port numbers. 
Interpreted in the Sun PI suite. 


The physical access point to a computer, multiplexor, device, or 
network where signals may be sent or received. 


DD?» 


A fixed data pattern transmitted before each frame to allow 


receiver synchronization and recognition of the start of a frame. 


j 


A specific set of rules, procedures, or conventions governing the 
format and timing of data transmission between two devices. 


} 


The Sniffer analyzer uses its protocol interpreters to identify the 
protocols nested within each frame and interpret their contents. 
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PUP 


PVC 


RAM 


RDP 


REJ 


REM 


repeater 


RG-58 


RG-59 


RG-62 


RGBI 


Glossary 


PARC Universal Packet. A type of Ethernet packet formerly used 
at the Xerox Corporation’s Palo Alto Research Center. 
Interpreted in the XNS/MS-Net and the TCP/IP PIs but not 
included in their protocol diagrams since no longer in regular use. 


Permanent Virtual Circuit. A unique, predefined logical path 
between two endpoints of a network. 


Random Access Memory. A chip or collection of chips where 
data can be entered, read, and erased. RAM is the fastest memory 
device, but loses its memory when power is shut off. 


Reverse Address Resolution Protocol. A protocol within TCP/IP 
for finding a node’s IP address given its DLC address. Interpreted 
in the TCP/IP PI suite. 


Reliable datagram protocol. A protocol within an earlier version 
of TCP/IP. Not interpreted in the TCP/IP PI suite. 


Reject. An LLC frame type that requests retransmission of 
previously sent frames. 


Ring Error Monitor. A station on the 802.5 token ring network 
that collects MAC-level error messages from the other stations. 


A device inserted at intervals along a circuit to boost, amplify, 
and/or regenerate the signal being transmitted. 


Request For Comment. Designation used in DoD/TCP protocol 
research and development. 


The designation for 50-ohm coaxial cables used by Cheapernet 
(thin Ethernet). 


The designation for 75-ohm coaxial cables used by PC Network 
(broadband). 


The designation for 93-ohm coaxial cables used by ARCNET. 
Red-Green-Blue-Intensity. An interface used for attaching a color 
monitor to a personal computer; DB-9 connectors are typically 


used. 
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RH 


RII 


RIP 


RJ-45 


RMS 


router 


Glossary 


Request/response header. An SNA control field prior to a 
Request Unit or Response unit. 


Routing Information. A protocol at the logical link level for 
devices operating on the token ring. Interpreted by the token ring 
and Ethernet Distributed Sniffer_ System independent of other 
Pls, 

Routing Information Indicator. If the first bit in the source 
address field of a token ring frame is 1, then the data field begins 
with Routing Information. Interpreted by the token ring and 
Ethernet Distributed Sniffer_ System independent of other Pls. 


Routing Information Protocol. A protocol within the XNS and 
TCP/IP families used to exchange routing information among 
gateways. Interpreted in the XNS PI suite and in the TCP/IP PI 
suite. 


The designation for the 8-wire modular connectors used for 
StarLAN and 10BASE-T networks. It is similar to, but wider 
than, the standard (RJ-11) telephone modular connectors. 


Resource Management System. A set of protocols used by 
Datapoint to communicate from client stations to servers. 


Receive Not Ready. An LLC and HDLC command or response 
indicating that transmission is blocked. 


(1) An internet linking device operating at network layer 3. 
(2) A protocol transmitted by a Matchmaker frame in Banyan 
VINES. 


Remote Procedure Call. A protocol for activating functions on a 
remote station and retrieving the result. Interpreted in the Sun PI 
suite. A similar protocol exists in Xerox XNS. 


Remote Program Load. A protocol used by IBM on the IEEE 
802.5 token ring network to download initial programs into 
networked stations. Interpreted in the IBM PI suite. 


Ring Parameter Server. A station on a token ring network that 
maintains MAC-level information about the LAN configuration 


such as ring numbers and physical location identifiers. 
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RR 


RS-232C 


RSTAT 


RTMP 


RTP 


RU 


RUnix 


SABM 


SABME 


SAC 


SAP 


Glossary 


Receive ready. An LLC non-data frame indicating readiness to 
receive data from the other station. 


Recommended Standard 232. EJA standard defining electrical 
characteristics of the signals in the cables that connect a DTE and 
a DCE. 


Remote status. A protocol with the Sun NFS family used to 
exchange statistics on network activity. Interpreted in the Sun PI 
suite. 


Routing Maintenance Protocol. Used in AppleTalk networks to 
allow routers dynamically to discover routes to the various 
networks of an internet. A node that is not a router uses a subset 
of RTMP (the RTMP stub) to determine the number of the 
network to which it is connected and the node IDs of routers on 
its network. Interpreted in the AppleTalk protocol interpreter. 


Routing Update Protocol. Used to distribute network topology 
information. Interpreted in the Banyan VINES PI suite. 


Request Unit/Response unit. The part of an SNA frame after the 
RH that contains the details of a request or its response. 


Remote Unix. A protocol atop TCP/IP for issuing remote 
requests over the network to a UNIX host. 


Supervisory. An LLC, HDLC, or SDLC frame type used for 
control functions. 


Set Asynchronous Balanced Mode. An LLC non-data frame 
requesting the establishment of a connection over which 
numbered I frames may be sent. 


Set Asynchronous Balanced Mode (Extended). SABM with two 
more bytes in the control field. Used in LAPB. 


Single Attachment Concentrator. A concentrator that offers one S 
port for attachment to the FDDI network and M ports for the 
attachment of stations or other concentrators. 


Service Access Point. 


299 


SAS 


SCSI 


SDLC 


semaphore 


serial interface 


SESSION 


Sever 


Glossary 


(1) A small number used by convention or established by a 
standards group, that defines the format of subsequent LLC data; 
a means of demultiplexing alternative protocols supported by 
Lit 

(2) Service Advertising Protocol. Used by NetWare servers to 
broadcast the names and locations of servers and to send a 
specific response to any station that queries it. 


Single Attachment Station. An FDDI station that offers one S 
port for attachment to the FDDI ring. 


Stop Bracket Initiation. An SNA message sent to request that the 
other station not initiate any more brackets. 


Session Control. An SNA subprocess for establishing and 
maintaining connections. 


Session Control Protocol. The DECnet protocol concerned with 
the establishment of virtual circuits over which NSP transfers 
data; interpreted in the DECnet PI suite. 


Small Computer Standard Interface. Pronounced “scuzzy.” A 
standard for connecting disk drives to disk controllers, used 
typically in small multiuser computers. 


Synchronous Data Link Control. An older serial communications 
protocol that was the model for LLC and with which it shares 
many features. 

A synchronization mechanism on an operating system. 

An interface which requires serial transmission, or the transfer of 
information in which the bits composing a character are sent 


sequentially. Implies only a single transmission channel. 


Name for the session-level protocol in the ISO series, interpreted 
in the ISO PI suite. 


A protocol transmitted by a Matchmaker frame in Banyan 
VINES. 
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SIF 


SIG 


SMB 


SMT 


SMTP 


SNA 


SNAP 


SniffMaster Console 


Glossary 


Status Information Frame. Used by stations on an FDDI ring to 
exchange information about station configuration and operating 
parameters. 


Signal. A high-priority SNA message used to request permission 
to send. 


Server Message Block. A message type used by the IBM PC 
LAN Program and LAN Manager to make requests from a user 
station to a server and receive replies. Many of the functions are 
similar to those made by an application program to DOS or to 
OS/2 running on a single computer. Interpreted in the IBM, XNS, 
TCP/IP, ISO, DECnet, and Banyan VINES PI suites. 


Station Management. Provides ring management, connection 
management, and SMT frame services for an FDDI ring. 


Simple Mail Transfer Protocol. A protocol within TCP/IP for 
reliable exchange of electronic mail messages. Interpreted in the 
TCP/IP PI suite. 


Systems Network Architecture. A complex set of protocols used 
by IBM for network communications, particularly with mainframe 
computers. Interpreted in the IBM PI suite. 


Sub-Network Access Protocol (also sometimes called Sub- 
Network Access Convergence Protocol). An extension to IEEE 
802.2 LLC that permits a station to have multiple network-layer 
protocols. The protocol specifies that DSAP and SSAP addresses 
must be AA hex. A field subsequent to SSAP identifies one 
specific protocol. Interpreted in the TCP/IP PI suite and the 
AppleTalk PI suite. (See RFC 1042 for further information on 
SNAP.) 


The Distributed Sniffer System_ (DSS) client that communicates 
with the DSS Sniffer Servers from any point on the network. The 
Console delivers instructions to the Server and reads the output 
of the Server’s analysis. The Console is a computer that uses 
proprietary software and hardware. The proprietary hardware is a 
network interface card called a Transport Card for 
communicating over the network with Servers. 
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Glossary 


ae My is 


Sniffer Server The Distributed Sniffer System (DSS) server that captures and 
analyzes packet level network data under instructions from the 
client, a DSS SniffMaster Console. The Server is a computer that 
uses proprietary software and hardware. The Sniffer Server’s 
analysis applications are based on the Sniffer network analyzer 
and the Advanced Network Monitor. The Server uses two 
network interface cards: a Transport Card that supports 


communication with Consoles and a Monitor card that is used to 
capture frames and collect statistics from the network. 


SNMP Simple Network Management Protocol. Interpreted in the 
TCP/IP PI suite. 


SNRM Set Normal Response Mode. Place a secondary station in a mode 
that precludes it from sending unsolicited frames. The primary 
station controls all message flow. Used in SDLC. 


SNRME Set Normal Response Mode (Extended). SNRM with two more 
bytes in the control field. Used in SDLC. 


socket A logically addressable entity or service within a node, serving as 
a more precise identification of sender or recipient. 


—_ 
a 
spanning tree A method of creating a loop-free logical topology on an extended = 
LAN. Formation of a spanning tree topology for transmission of ™ 

messages across bridges is based on the industry-standard - 

spanning tree algorithm defined in IEEE 802.1d. _ 

SPP Sequenced Packet Protocol. A virtual-circuit connection-oriented 
protocol in XNS. 


SPP Sequenced Packet Protocol. 
(1) The XNS protocol that supports reliable connections using 
sequenced data; interpreted in the XNS PI suite. A variant called 
SPX is used in Novell NetWare. 
(2) The transport-level protocol that provides virtual connection 
service in Banyan VINES, based upon the protocol of the same 
name in XNS. Interpreted in the Banyan VINES PI suite. 


SPX Sequential Packet Exchange. Novell’s version of the Xerox 
protocol called SPP. Interpreted in the Novell NetWare PI suite. 
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StreetTalk 


SUA 


subnet 


SVC 


symptom 


Tl 


Glossary 


Signal Quality Error. The 802.3/Ethernet collision signal from the 
transceiver. 


The SQE signal generated by the transceiver at the end of a 
transmitted frame to check the SQE circuitry. Also known as 
heartbeat in Ethernet. 


Signaling System 7. Protocol related to ISDN. Directs how the 
interior of an ISDN network is managed. 


Source Service Access Point. The LLC SAP for the protocol 
used by the originating station. 


System Services Control Point. An SNA identification of 
communications management functions. 


A network developed by AT&T Bell Labs and based upon a 
derivative of the CSMA/CD (Ethernet) network standard 
originally developed by Xerox; similar to (and often used 
interchangeably with) the IEEE 802.3 standard. 


Protocol used in Banyan VINES to maintain a distributed 
directory of the names of network resources. In VINES names 
are global across the internet and independent of the network 
topology. Interpreted in the Banyan VINES PI suite. 


Stored Upstream Address. The network address of a token ring 
station’s nearest upstream neighbor. Texas Instruments calls this 
the UNA (see Upstream Neighbor Address). 


A term used to denote any networking technology that makes all 
nodes connected to it appear to be one hop away. In other words, 
the user of the subnet can communicate directly to all other nodes 
on the subnet. A collection of subnets together with a routing or 
network layer combine to form a network. 


Switched Virtual Circuit. A virtual circuit that is set up on 
demand, as in the case of a dial-up telephone line, or an X.25 call. 


An abnormal or unusual network event which the Expert 
analyzer. 


A digital transmission link with a capacity of 1.544 Mbits/sec. 
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Talk 


TC 


TCP 


TCP/IP 


Telnet 


terminator 


TFTP 


TH 


THT 


token 


token bus 


Glossary 


A protocol transmitted by a Matchmaker frame in Banyan 
VINES. 


Transmission Control. An SNA subprocess. 


Transmission Control Protocol. The connection-oriented byte- 
stream protocol within TCP/IP that provides reliable end-to-end 
communication by using sequenced data sent by IP. Interpreted in 
the TCP/IP PI suite. 


Transmission Control Protocol/Internet Protocol. A suite of 
networking protocols developed originally by the US Government 
for Arpanet and now used by several LAN manufacturers. The 
individual TCP/IP protocols are listed separately in this Glossary. 


Protocol for transmitting character-oriented terminal (keyboard 
and screen) data. Interpreted in the TCP/IP PI suite. 


A resistive connector used to terminate the end of a cable or an 
unused tap into its characteristic impedance. The terminator 
prevents interference-causing signal reflections from the ends of 
the cable. 


Trivial File Transfer Protocol. A protocol within TCP/IP used to 
exchange files between networked stations. Interpreted in the 
TCP/IP PI suite. 


Transmission header. The initial part of an SNA frame 
immediately following the LLC header. 


Token Holding Timer. The maximum length of time a station 
holding the token can initiate asynchronous transmissions. The 
THT is initialized with the value corresponding to the difference 
between the arrival of the token and the TTRT (FDDI). 


A small message used in some networks to represent the 
permission to transmit; it is passed from station to station in a 
predefined sequence. 


A type of LAN where all stations can hear what any station 
transmits and where permission to transmit is represented by a 
token sent from station to station. 
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token ring 


TP 


trigger 


TRLR 


TRT 


TS 


TSR 


TTRT 


TVX 


UA 


Glossary 


A type of LAN where stations are wired in a ring and each can 
directly hear transmissions only from its immediate neighbor. 
Permission to transmit is granted by a token that circulates 
around the ring. 


Transport-level Protocol. It exists in alternate forms, depending 
on how the services it assumes are provided to it by the network 
level below it. TP 0 assumes that the connection is maintained at 
the lower level, while TP 4 assumes a connectionless network 
protocol, so that functionality for the establishment and 
maintenance of a connection are included in the transport 
protocol. Levels 0, 2, and 4 are interpreted in the ISO PI suite. 


A Sniffer analyzer feature that allows a user to define an event 
after which the analyzer will stop capture to ensure that frames 
preceding or following the event are retained in the capture 
buffer. 


Trailer format. Variant of IP in which the protocol headers follow 
rather than precede the user data. 


Token Rotation Timer. A clock that times the period between the 
receipt of tokens (FDDI). 


Transmission Services. An SNA subprocess. 


Terminate and Stay Resident. A DOS program that once loaded 
into RAM, remains there in the background until unloaded or 
power is shut off. 


Target Token Rotation Timer. The value used by the MAC 
receiver to time the operations of the MAC layer. The TTRT 
value varies depending on whether or not the ring is operational 
(FDDI). 


Valid Transmission Timer. A timer that times the period between 
valid transmissions on the ring; used to detect excessive ring 


noise, token loss, and other faults (FDDI). 


Unnumbered Acknowledgment. An LLC frame that 
acknowledges a previous SABME or DISC request. 
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UDP 


UI 


UNA 


UNIX 


VINES 


virtual circuit 


VMTP 


VTP 


V.35 


WAN 


X.25 


X.400 


X.500 


XID 


Glossary 


User Datagram Protocol. A protocol within TCP/IP for sending 
unsequenced data frames not otherwise interpreted by TCP/IP. 


Unnumbered Information. An LLC, HDLC, or SDLC frame type 
used to send data without sequence numbers. 


Upstream Neighbor Address. The network address of a token 
ring station’s nearest upstream neighbor. IBM calls this the SUA 
(see Stored Upstream Address). 


A popular portable operating system written by AT&T. 
VIrtual NEtwork Software. The networking operating system 
developed by Banyan Systems Inc., and the protocols used 


therein. Notable components are StreetTalk and MatchMaker. 


A communications link that appears to be a dedicated point-to- 
point circuit. 


Versatile Message Transaction Protocol (proposed). 

Virtual Terminal Protocol. 

A CCITT wideband interface recommendation for WANs. 

Wide Area Network. A collection of LANs, or stations and hosts, 
extending over a wide area that can be connected via common 
carrier or private lines. Typically, transmission speeds are lower 
on a WAN than on a LAN. 

A CCITT recommendation that defines the standard 
communications interface for access to packet-switched 


networks. 


ISO standard protocol for electronic mail. Interpreted in the ISO 
PI suite. 


ISO standard protocol for directory services. Similar to DNS and 
NIS. 


Exchange Identification. An LLC unnumbered frame type used to 
negotiate what LLC services will be used during a connection. 
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XNS 


X Windows 


YP 


ZIP 


Zone 


Glossary 


Xerox Network Systems. A family of protocols standardized by 
Xerox; in particular the Internet Transport Protocols. 


Protocol for the management of high-resolution color windows at 
workstations, originated by MIT, DEC, and IBM and 
subsequently transferred to a consortium of vendors and 
developers. 


Yellow Pages. A protocol developed by Sun Microsystems for 
implementing a distributed resource look-up database; similar in 
function to DNS. Interpreted in the Sun PI suite. Now called 
“NIS.” 


Zone Information Protocol. Used in AppleTalk to maintain an 
internet-wide mapping of networks to zone names. ZIP is used by 
the Name-Binding Protocol (NBP) to determine which networks 
belong to a given zone. Interpreted in the AppleTalk PI suite. 


In AppleTalk networks, a set of one or more nodes within an 
internet. 
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Sniffer® University Course Descriptions 
Troubleshooting with the Expert Sniffer’ 
Introduction to LAN Technology Network Analyzer* 


Course: TC-101A Course: TC-101C 

Gain a strong understanding of layered network Learn network troubleshooting processes and 
architecture, LAN topologies, network terminology, approaches. Gain a solid understanding of how to use 
trends, design, performance issues, and the future the Expert Sniffer Network Analyzer in problem 
directions of network management in the 1990s in this identification, troubleshooting and basic protocol 
one-day class. This course is specifically designed to analysis techniques in this-two day, hands-on class. 
help new network professionals and other department *Note: This course will help you prepare for the CNX 
managers understand the function and use of their examination. 

networks. 


Level: Introductory 


Bevel: Inimaiuaiory Prerequisites: A general understanding of LAN 


Prerequisites: None technologies and topologies 

Audience: Anyone who needs an introduction to Audience: Network professionals involved in 

LAN terminology and network technology planning and problem solving who want to get the 
most out of their Network General troubleshooting 
tools 


LEARNING PATH 


Network 
Performance 
Analysis 
& Baselining 
TC-BASE 


Sniffer Uni 


Introduction to Network Monitoring with 
RMON 


Course: TC-MON1 


Learn about proactive network monitoring using 


: TCP/IP Novell NetWare Advanced 
RMON technology. Use Foundation Manager™ to Network Analysis Network Analysis Network Analysis 
F cE - & & & 
characterize the network, isolate problems, determine Troubleshooting Troubleshooting Troubleshooting 


thresholds and alarms, and generate reports in this uc Tee 


two-day, hands-on class. 


Level: Introductory LANWAN 
Internetwork 


Analysis & 


Multiprotocol 
Monitoring & 
Analysis with 


Prerequisites: Installation of Foundation Manager 
and completion of the Foundation Manager tutorials in 
the Getting Started Guide 


Audience: Network professionals involved in 
baselining and monitoring remote LAN segments who 
want to get the most out of Foundation Manager 


Troubleshooting Introduction 


with the to, Network 
Expert Sniffer Monitoring with 
Network Analyze: RMON 


TC-MON1 


TC-101C Introduction 


to LAN 


Technology 
TC-101A 
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Sniffer® University Course Descriptions 
Ethernet Network Analysis & Token Ring Network Analysis & 
Troubleshooting* Troubleshooting* 


Course: TC-102 


Identify, analyze, and troubleshoot real-life Ethernet 
LAN problems using the Expert Sniffer Network 
Analyzer. Discuss network specifications, topologies, 
and common problems. Learn how to diagnose 
problems and proactively plan for situations and 
events on Ethernet networks in this two-day, hands-on 
class. 

*Note: This course will help you prepare for the CNX 
examination. 


Level: Intermediate 


Prerequisites: Troubleshooting with the Expert 
Sniffer Network Analyzer (TC-101C) or detailed 
knowledge of the Expert Sniffer Network Analyzer 
and a solid understanding of layered network 
architecture 


Audience: Network professionals involved with the 
operation and maintenance of Ethernet LANs 


Multiprotocol Network Analysis & 
Troubleshooting* 


Course: TC-104 


Identify, analyze, and troubleshoot real-life Ethernet 
and token ring LAN problems using the Expert Sniffer 
Network Analyzer. Discuss network specifications, 
topologies, and common problems. Learn how to 
diagnose problems and proactively plan for situations 
and events on Ethemet and token ring networks in this 
three-day, hands-on class. 

*Note: This course will help you prepare for the CNX 
examination. 


Level: Intermediate 


Prerequisites: Troubleshooting with the Expert 
Sniffer Network Analyzer (TC-101C) or detailed 
knowledge of the Expert Sniffer Network Analyzer 
and a solid understanding of layered network 
architecture 


Audience: Network professionals involved with the 
operation and maintenance of both Ethernet and token 
rng LANs 


Course: TC-105 


Identify, analyze, and troubleshoot real-life token ring 
LAN problems using the Expert Sniffer Network 
Analyzer. Discuss network specifications, topologies, 
and common problems. Learn how to diagnose 
problems and proactively plan for situations and 
events on token ring networks in this two-day, hands- 
on class. 

*Note: This course will help you prepare for the CNX 
examination. 


Level: Intermediate 


Prerequisites: Troubleshooting with the Expert 
Sniffer Network Analyzer (TC-101C) or detailed 
knowledge of the Expert Sniffer Network Analyzer 
and a solid understanding of layered network 
architecture 


Audience: Network professionals involved with the 
operation and maintenance of token ring LANs 


Multiprotocol Monitoring & Analysis with 
RMON 


Course: TC-MON2 


Identify, analyze, and monitor Ethernet and token ring 
networks with Foundation Manager. Learn how to 
analyze and monitor real-life network traffic in this 
three-day hands-on class. 


Level: Intermediate 


Prerequisites: Introduction to Network Monitoring 
with RMON (TC-MON1) or an in-depth working 
knowledge of layered network architecture, LANs, 
and Foundation Manager (You should have 
Foundation Manager Protocol Interpreters to get the 
most from this class.) 


Audience: Network professionals who use Foundation 
Manager, with the optional Protocol Interpreter 
package, as their network analysis and 
troubleshooting tool 
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Sniffer” University Course Descriptions 
FDDI Network Analysis & LAN/WAN Internetwork Analysis & 
Troubleshooting Troubleshooting 


Course: TC-108 Course: TC-107 

Focus on identifying, analyzing, and troubleshooting Focus on monitoring, analyzing, and troubleshooting 
real-life FDDI problems using the FDDI Sniffer® internetworks using the Sniffer® Internetwork 
Network Analyzer. Discuss the PMD, PHY, MAC, Analyzer. Discuss specifications, protocol analysis, 
and SMT layers. Learn how to study frames, protocol and case studies of T1, frame relay, and X.25 

layers, ring order, ring topology, and station types to bridge/router internetworks. Examine causes for slow 
isolate FDDI problems in this two-day, hands-on response time, retransmissions, and broadcast storms 
class. in HDLC/X.25 and Novell WAN environments in this 


Taual’ Vakonaciate three-day, hands-on class. 


Prerequisites: Troubleshooting with the Expert Level, sieaedials 


Sniffer Network Analyzer (TC-101C) or detailed Prerequisites: Troubleshooting with the Expert 

knowledge of the Expert Sniffer Network Analyzer Sniffer Network Analyzer (TC-101C) or detailed 

and a solid understanding of layered network knowledge of the Expert Sniffer Network Analyzer 

architecture and a solid understanding of layered network 
architecture 


Audience: Network professionals involved with the 
operation and maintenance of FDDI networks Audience: Network professionals involved with the 
operation and maintenance of internetworks 


Managing the Enterprise Network with TCP/IP Network Analysis & 
Distributed Sniffer System® Troubleshootin 


Course: TC-DSS Course: TC-103 

Learn to plan, install, configure, and expand your Focus on troubleshooting all layers of the TCP/IP 
Distributed Sniffer System. Make in-band and out-of- network architecture. Discuss the TCP/IP protocol 
band serial connections from SniffMaster® Consoles suite. Get extensive hands-on experience analyzing 

to Sniffer Servers to effectively manage remote and troubleshooting real-life problems. Learn about 
network segments. Master basic as well as advanced TCP/IP and all related protocols including ARP, 
capabilities of Sniffer Servers, such as acquiring data ICMP, UDP, RPC, FTP, NFS, NIS, RUNIX, SMTP, 
in an unattended mode and creating reports from that TFIP, TELNET, and SNMP in this three-day, hands- 
data. Special focus is placed on having Sniffer Servers on class. 

contact SniffMaster Consoles based on Expert 


thresholds. Level: Advanced 


Levek Tensions Prerequisites: Ethernet or Token Ring Network 


Analysis and Troubleshooting (TC-102, TC-104, or 


Prerequisites: Troubleshooting with the Expert TC-105) or an in-depth working knowledge of the 
Sniffer Network Analyzer (TC-101C) or detailed Expert Sniffer Network Analyzer layered network 
knowledge of the Expert Sniffer Network Analyzer architecture, and LAN technologies and topologies 
and i solic mad esianieiig OF levers Hetvent Audience: Network professionals involved in 
architecture 


analyzing and troubleshooting TCP/IP network 
Audience: Network professionals who are using or architecture. 
installing the Distributed Sniffer System to operate 
and maintain an enterprise network 
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Sniffer® University Course Descriptions 
Novell NetWare Network Analysis & 
Troubleshooting 


| Advanced Network Analysis a 


| Troubleshooting* 


Course: TC-106 


Learn how the components of the NetWare protocol 
stack interoperate to provide end-user and ~ 
programmer services, and how client and server 
configurations impact traffic on the LAN. 
Troubleshoot communication problems with detailed 
analysis of IPX, SPX I and II, SAP, RIP, NLSP, 
Transport Layer header, Large Internet Packets, and 
Packet Burst Protocol. Practice analyzing and 
troubleshooting Network Core Protocol Primitives 
including the binderies, NetWare Directory Services, 
printing, file service processes, and file locking. 
Explore server and workstation boot processes from 
“the wire” to find solutions to problems not revealed 
in workstation and server messages. Discuss LAN 
optimization through techniques developed by 
Network General that come from our many years of 
troubleshooting customer NetWare networks. Finally, 
put all of this information together with 
troubleshooting suggestions and guided exercises 
using trace files from real-world networks. 


Level: Advanced 


Prerequisites: Ethemet or Token Ring Network 
Analysis and Troubleshooting (TC-102, TC-104, or 


TC-105) or an in-depth working knowledge of the 
Expert Sniffer Network Analyzer layered network 
architecture, and LAN technologies and topologies 


Audience: Network technicians, administrators, 
managers,CNEs, CNAs, and anyone directly 
responsible for the operation, design, and maintenance 
of Novell’s NetWare networks 


Course: TC-109 


Analyze and troubleshoot complex real-world 
problems. Apply advanced Expert Sniffer Network 
Analyzer features such as scheduling, frame editing, 
and protocol forcing to help solve network problems 
in Ethermet and token ring environments. Learn 
strategies for using network monitoring and reporting 
tools to complement the tactical uses of the Expert 
Sniffer Network Analyzer. Learn the methodology of 
performing a network health assessment in this four- 
day, hands-on class. 

*Note: This course will help you prepare for the CNX 
examination. 


Level: Advanced 


Prerequisites: Ethernet or Token Ring Network 
Analysis and Troubleshooting (TC-102, TC-104, or 
TC-105) or an in-depth working knowledge of the 
Expert Sniffer Network Analyzer, layered network 
architecture, and LAN technologies and topologies 


Audience: Network professionals directly responsible 
for network operation, design, and maintenance 


Network Performance Analysis & 
Baselining 


Course: TC-BASE 


Learn the procedures for the collection and analysis of 
network performance data, as well as techniques for 
reporting and graphing baseline results. During this 
four-day, hands-on course, assess performance 
characteristics of networks and develop baseline 
reports that you can use in capacity planning, tracking 
trends, planning reconfigurations, and setting network 
management alarm thresholds. 


Level: Expert 


Prerequisites: Advanced Network Analysis and 
Troubleshooting (TC-109) 


Audience: Network professionals experienced in 
troubleshooting with the Expert Sniffer Network 
Analyzer on their own network or in a consultant 
capacity who want to sharpen their network 
baselining skills 
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